Browserbase Director — agentic threat model
Browserbase Director is a high-risk browser automation agent capable of executing multi-step web tasks, exposing it to indirect prompt injection, session hijacking, and unauthorized actions via untrusted web content.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.40 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The specific foundation models powering the Director are not disclosed, leaving risks like model-specific adversarial vulnerabilities or alignment gaps unquantified.
Not certain from the listing — The data operations, vector stores, and RAG mechanisms used to guide the browser agent are unspecified, though session data and cookies represent high-value targets.
As a browser agent, the orchestration framework is highly vulnerable to indirect prompt injection from untrusted web pages, which could hijack the browser session to perform unauthorized actions, exfiltrate data, or abuse DOM interaction tools.
Not certain from the listing — While Browserbase typically provides sandboxed browser environments, the specific infrastructure hosting, network isolation, and secret management policies for this Director instance are not detailed.
Not certain from the listing — There is no mention of real-time session monitoring, DOM-interaction guardrails, or anomaly detection to identify and halt malicious browser behavior.
Not certain from the listing — Compliance certifications, identity governance, and granular authorization policies governing what web domains the agent can access are not specified.
Not certain from the listing — It is unclear if the Director coordinates with other agents or operates within a multi-agent ecosystem, though browser-based interactions could theoretically trigger cascading API calls.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).