AgentReadyHomeAgent Listing

← Browserbase Director

Browserbase Director — agentic threat model

9.5AIVSS 9.5 · Critical

Browserbase Director is a high-risk browser automation agent capable of executing multi-step web tasks, exposing it to indirect prompt injection, session hijacking, and unauthorized actions via untrusted web content.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.97Factor sum 5.9/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.70
Self-Modification
0.20
Dynamic Tool Use
0.90
Persistent Memory
0.40
Contextual Awareness
0.80
Dynamic Identity
0.60
Multi-Agent Interactions
0.20
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The specific foundation models powering the Director are not disclosed, leaving risks like model-specific adversarial vulnerabilities or alignment gaps unquantified.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The data operations, vector stores, and RAG mechanisms used to guide the browser agent are unspecified, though session data and cookies represent high-value targets.

L3 · Agent Frameworks✓ mapped

As a browser agent, the orchestration framework is highly vulnerable to indirect prompt injection from untrusted web pages, which could hijack the browser session to perform unauthorized actions, exfiltrate data, or abuse DOM interaction tools.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — While Browserbase typically provides sandboxed browser environments, the specific infrastructure hosting, network isolation, and secret management policies for this Director instance are not detailed.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of real-time session monitoring, DOM-interaction guardrails, or anomaly detection to identify and halt malicious browser behavior.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Compliance certifications, identity governance, and granular authorization policies governing what web domains the agent can access are not specified.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — It is unclear if the Director coordinates with other agents or operates within a multi-agent ecosystem, though browser-based interactions could theoretically trigger cascading API calls.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).