AgentReadyHomeAgent ListingPricing

← ShipGrowth

ShipGrowth — agentic threat model

5.6AIVSS 5.6 · Medium

ShipGrowth is primarily an online directory for AI tools with minimal agentic capabilities, presenting low overall agentic risk. Its primary security exposure lies in traditional web vulnerabilities and the potential abuse of its submission system for SEO spam or malicious link distribution.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 5.3AARS uplift 0.31Factor sum 0.7/10Threat ×0.95Mitigation ×1.0
Autonomy of Action
0.10
Goal-Driven Planning
0.00
Self-Modification
0.00
Dynamic Tool Use
0.10
Persistent Memory
0.10
Contextual Awareness
0.10
Dynamic Identity
0.00
Multi-Agent Interactions
0.00
Non-Determinism
0.20
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The specific foundation models used for tool discovery and comparison are not disclosed. If LLMs are used to parse or summarize submissions, they are potentially vulnerable to prompt injection via malicious tool descriptions.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The platform manages a database of AI tools and user submissions. The primary threat is data poisoning, where malicious actors submit spam, phishing, or malware-hosting URLs to gain dofollow backlinks.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — There is no indication of an active agentic orchestration framework. If automated scripts or basic agents are used to validate submissions, they face risks of insecure tool execution or SSRF when fetching submitted URLs.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — Standard web application hosting risks apply. Vulnerabilities in the web server or CMS hosting the directory could lead to unauthorized database access or site defacement.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No observability, logging, or content moderation guardrails are detailed. A lack of automated vetting for submissions increases the risk of hosting malicious content undetected.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No security compliance standards (e.g., SOC2, GDPR) are mentioned. The platform needs robust input validation and access controls to prevent unauthorized modifications to directory listings.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — The platform does not participate in a multi-agent ecosystem. The primary ecosystem risk is external: serving as a vector for distributing links to compromised or malicious third-party AI tools.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).

These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.