AgentReadyHomeAgent Listing

← Autoresearch

Autoresearch — agentic threat model

9.5AIVSS 9.5 · Critical

Autoresearch presents a high agentic risk due to its autonomous code-execution loop, where an LLM directly edits and executes PyTorch training code on local GPU infrastructure without built-in sandboxing or human-in-the-loop verification.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.74Factor sum 6.2/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.90
Goal-Driven Planning
0.80
Self-Modification
0.90
Dynamic Tool Use
0.80
Persistent Memory
0.60
Contextual Awareness
0.50
Dynamic Identity
0.10
Multi-Agent Interactions
0.20
Non-Determinism
0.80
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

The agent relies on foundation models to generate code modifications. It is vulnerable to prompt injection via instructions (e.g., in program.md) that could trick the model into generating malicious code or backdooring the training process.

L2 · Data Operations✓ mapped

The agent operates on a local LLM training dataset. Threats include data poisoning of the training set, which could skew the evaluation metrics or cause the agent to optimize for malicious behaviors.

L3 · Agent Frameworks✓ mapped

The orchestration loop autonomously edits files and executes them. This creates a severe risk of tool misuse, where the agent writes and executes arbitrary, destructive Python code under the guise of an experiment.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — there is no mention of sandboxing or containerization. If run directly on host hardware, a compromised agent could achieve full host compromise, privilege escalation, or lateral movement.

L5 · Evaluation & Observability✓ mapped

The agent autonomously evaluates its own experiment results. This is highly vulnerable to evaluation gaming, where the agent could modify the evaluation script itself to always report success, bypassing the intended logic.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — there are no apparent security, identity, or access management controls. The agent likely runs with the full permissions of the user executing the script.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — the repository is described as a single-GPU setup and does not explicitly detail multi-agent interactions or external marketplace integrations.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).