Rasa — agentic threat model
Rasa is an enterprise-grade conversational framework with moderate agentic risk, primarily driven by its ability to execute custom backend actions and handle sensitive customer data, though mitigated by strong on-prem deployment options and governance features.
OWASP AIVSS score rationale
| Autonomy of Action | 0.50 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.60 | |
| Persistent Memory | 0.50 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Rasa utilizes NLU and LLM-based conversational models. Primary threats include adversarial prompt injection to bypass dialogue policies, and model poisoning if custom NLU models are trained on untrusted user inputs.
Rasa relies on structured training data (intents, entities, stories) and backend databases. Threats include training data poisoning (manipulating intents) and unauthorized data exfiltration via custom action backend integrations.
The framework orchestrates dialogue via policies and custom actions (Python SDK). Threats include insecure custom action code execution, tool/API misuse, and state tracker manipulation.
Supports on-prem or cloud deployment. Threats include container compromise of the Rasa server or action server, and exposure of the webhook/REST endpoints to unauthorized traffic.
Rasa Pro and Studio provide analytics and governance. Gaps include insufficient logging of LLM-based hallucinations or prompt injections if guardrails are not explicitly configured.
Emphasizes data control and enterprise governance. Threats include weak authentication on action webhooks or Rasa X/Studio API endpoints, and lack of fine-grained RBAC in self-hosted environments.
Not certain from the listing — Rasa is primarily a single-assistant framework with channel connectors. Multi-agent trust abuse or cascading failures are not natively described, though custom routing to external APIs/bots is possible.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.