AgentReadyHomeAgent Listing

← Agent Browser

Agent Browser — agentic threat model

7.4AIVSS 7.4 · High

Agent Browser presents a moderate-to-high risk profile due to its active browser-automation capabilities, which are highly susceptible to indirect prompt injection from untrusted web content. While its built-in audit trails and safety boundaries provide valuable oversight, executing web workflows inherently exposes session data and downstream systems to abuse.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 1.2Factor sum 4.8/10Threat ×1.0Mitigation ×0.85
Autonomy of Action
0.60
Goal-Driven Planning
0.80
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.30
Contextual Awareness
0.60
Dynamic Identity
0.40
Multi-Agent Interactions
0.10
Non-Determinism
0.70
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying foundation models are not specified. However, because the agent processes arbitrary web pages, it is highly vulnerable to indirect prompt injection, where malicious instructions embedded in web content hijack the model's behavior.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The data storage, vector databases, and RAG mechanisms are not detailed. The primary data risk involves the temporary handling and potential exfiltration of sensitive user data entered into or scraped from web forms.

L3 · Agent Frameworks✓ mapped

The agent framework translates plain-language goals into multi-step browser actions (form navigation, data collection). Threats include tool misuse, where the planning engine is tricked into executing unintended actions like submitting forms with malicious payloads or clicking malicious links.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment architecture (e.g., whether the browser runs in a secure, isolated cloud sandbox or locally) is not specified. A lack of strict sandboxing could allow a compromised browser session to perform SSRF or access local network resources.

L5 · Evaluation & Observability✓ mapped

The agent includes strong observability features, specifically screenshot-based evidence trails and reviewable audit trails. This mitigates the threat of silent failures, though there remains a risk of log tampering if the agent's execution environment is fully compromised.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent defines 'operator safety boundaries' to restrict actions, but the listing lacks details on enterprise-grade security controls such as role-based access control (RBAC), credential management for web forms, or compliance certifications.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — There is no mention of multi-agent orchestration or integration with an agent marketplace, suggesting ecosystem-level threats are currently out of scope.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).