AgentReadyHomeAgent Listing

← Agent Herbie

Agent Herbie — agentic threat model

9.3AIVSS 9.3 · Critical

Agent Herbie presents a high-risk profile due to its primary interface being email, which exposes it directly to external prompt injection attacks, combined with its access to sensitive internal executive data and external data sources.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.8Factor sum 5.1/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.60
Self-Modification
0.10
Dynamic Tool Use
0.70
Persistent Memory
0.50
Contextual Awareness
0.70
Dynamic Identity
0.40
Multi-Agent Interactions
0.10
Non-Determinism
0.60
Opacity & Reflexivity
0.70

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying foundation models are not specified. However, because the agent processes incoming emails, it is highly vulnerable to indirect prompt injection attacks embedded in email bodies or attachments, potentially leading to model hijacking or data exfiltration.

L2 · Data Operations✓ mapped

The agent integrates with both internal and external data sources to conduct research and analysis. This creates a significant risk of data exfiltration if an attacker can manipulate the agent into sending sensitive internal data via email, or data poisoning if the agent ingests malicious external sources.

L3 · Agent Frameworks✓ mapped

The orchestration framework manages email-based task execution, research, and content creation. Insecure tool integration with email clients could allow attackers to trigger unauthorized actions (e.g., sending emails, deleting tasks) via malicious instructions sent to the agent's inbox.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting, sandboxing, and credential storage mechanisms are undisclosed. If email API keys or internal database credentials are not securely isolated, a compromise of the agent's infrastructure could lead to broader credential theft.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of logging, guardrails, or evaluation frameworks. The lack of visibility into how the agent processes incoming emails makes it difficult to detect and block prompt injection or anomalous behavior in real-time.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No security certifications (e.g., SOC2), compliance alignments, or explicit access control policies are mentioned, suggesting a lack of formal governance over sensitive executive data.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — While the agent interacts with external data sources and email ecosystems, there is no explicit mention of multi-agent coordination or marketplace integrations that would introduce cascading agent-to-agent trust risks.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).