AgentReadyHomeAgent Listing

← Body Shape Calculator

Body Shape Calculator — agentic threat model

5.7AIVSS 5.7 · Medium

The Body Shape Calculator is a low-autonomy, single-purpose utility with minimal agentic risk, but it carries high privacy and compliance risks due to the processing of sensitive user body photos without registration or explicit security controls.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 5.3AARS uplift 0.42Factor sum 0.9/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.10
Goal-Driven Planning
0.00
Self-Modification
0.00
Dynamic Tool Use
0.10
Persistent Memory
0.00
Contextual Awareness
0.10
Dynamic Identity
0.00
Multi-Agent Interactions
0.00
Non-Determinism
0.20
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely uses a computer vision or multimodal foundation model to analyze body proportions. Threats include adversarial image perturbations that trick the model into incorrect classifications or model extraction attacks.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — processes uploaded user images. Since no registration is required, data is likely processed ephemerally, but there is a risk of image caching, data leakage, or unauthorized retention of sensitive body photos.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — likely a simple pipeline rather than a complex agentic framework. Risks of tool misuse are low, but insecure handling of image file uploads (e.g., remote code execution via malicious image metadata) is a threat.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — hosted as a web application. Threats include server-side request forgery (SSRF) via image URLs if URL upload is supported, or standard web application vulnerabilities allowing access to the underlying hosting environment.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no visible monitoring or guardrails. Gaps in observability could allow attackers to upload abusive/NSFW content undetected or perform high-volume scraping of the service.

L6 · Security & Compliance (cross-cutting)✓ mapped

No registration required and closed source. This presents significant compliance risks under GDPR/CCPA regarding biometric data and consent, as there are no explicit identity or access management controls visible.

L7 · Agent Ecosystem✓ mapped

This is a standalone, single-purpose utility with no multi-agent or ecosystem integration described, making ecosystem-level threats (like cascading agent failures) non-applicable.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).