AgentReadyHomeAgent Listing

← Amazon Nova Act

Amazon Nova Act — agentic threat model

8.9AIVSS 8.9 · High

Amazon Nova Act exhibits a high-risk agentic profile due to its browser-based automation capabilities (such as checkout and form completion), which allow it to execute real-world financial and data transactions. The primary risk stems from indirect prompt injection via untrusted web content, which could hijack the agent's browser actions.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.9Factor sum 5.7/10Threat ×1.05Mitigation ×0.95
Autonomy of Action
0.80
Goal-Driven Planning
0.80
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.30
Contextual Awareness
0.70
Dynamic Identity
0.60
Multi-Agent Interactions
0.30
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Built on the Amazon Nova suite of foundation models. The primary threat is adversarial prompt injection, particularly indirect prompt injection where malicious instructions embedded in web pages manipulate the model's browser actions.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — Specific training data pipelines or RAG architectures are not detailed. However, the agent dynamically processes live web data during browsing, risking data poisoning or exposure to malicious payloads on third-party sites.

L3 · Agent Frameworks✓ mapped

Uses the Nova Act SDK to orchestrate complex workflows with atomic commands. Threats include tool misuse, where the agent is tricked into executing unintended actions like unauthorized checkouts or form submissions.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting infrastructure and browser sandboxing mechanisms are not specified. If the browser execution environment is not strictly isolated, threats include session hijacking, cookie theft, or local container compromise.

L5 · Evaluation & Observability✓ mapped

Performance is benchmarked on ScreenSpot Web Text, but real-time guardrails and observability features are not detailed. The lack of visible runtime monitoring for automated browser actions represents a significant detection gap.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Specific compliance alignments, identity management, or authorization policies for handling user credentials during browser sessions are not described.

L7 · Agent Ecosystem✓ mapped

Integrates with Alexa+ to enhance voice assistant capabilities. This multi-system interaction introduces threats of cascading failures and trust abuse, where compromised voice commands could trigger unauthorized browser actions.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).