Ava — agentic threat model

8.7AIVSS 8.7 · High

Ava presents a moderate-to-high risk profile due to its integration with sensitive communication channels (Gmail, Google Calendar) and its processing of high-value real estate contracts containing PII and financial data. The primary threat vector is prompt injection via untrusted contract documents leading to unauthorized email dispatch or timeline manipulation.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM

CVSS base 7.5AARS uplift 1.23Factor sum 4.9/10Threat ×1.0Mitigation ×1.0

Autonomy of Action		0.60
Goal-Driven Planning		0.70
Self-Modification		0.10
Dynamic Tool Use		0.60
Persistent Memory		0.50
Contextual Awareness		0.80
Dynamic Identity		0.40
Multi-Agent Interactions		0.10
Non-Determinism		0.50
Opacity & Reflexivity		0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying foundation models are unspecified. The primary threat is indirect prompt injection via malicious text embedded within uploaded real estate contracts, which could manipulate the model's timeline generation or email drafting behavior.

L2 · Data Operations✓ mapped

Ava ingests and processes highly sensitive real estate contracts containing PII, financial terms, and critical dates. Threats include data exfiltration of sensitive transaction details and unauthorized access to stored contract data.

L3 · Agent Frameworks✓ mapped

The agent orchestrates workflows, extracts timeline dates, and calls external tools (Gmail, Google Calendar). Threats include insecure tool integration where manipulated outputs trigger unauthorized email dispatches to transaction parties or incorrect calendar scheduling.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting environment and document parsing sandbox controls are not detailed. Threats include server-side request forgery (SSRF) or remote code execution (RCE) during the parsing of untrusted PDF/Word contracts.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No observability, logging, or guardrail mechanisms are mentioned. This creates a blind spot where incorrect timeline extractions or malicious email drafts may go undetected before execution.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Compliance with financial or real estate data privacy regulations (e.g., GLBA) and identity/access management controls for Gmail/Calendar OAuth are not specified.

L7 · Agent Ecosystem✓ mapped

Ava operates as a vertical, single-agent transaction assistant without multi-agent collaboration or marketplace interactions, minimizing ecosystem-specific cascading risks.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).