Calk AI — agentic threat model

9.4AIVSS 9.4 · Critical

Calk AI acts as a high-risk horizontal integration hub that connects multiple LLMs to sensitive corporate data sources like HubSpot, Notion, and Airtable. The combination of multi-tool execution capabilities and lack of explicit security guardrails or sandboxing in the public listing presents a significant attack surface for prompt injection and unauthorized data exfiltration.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM

CVSS base 8.5AARS uplift 0.91Factor sum 5.8/10Threat ×1.05Mitigation ×1.0

Autonomy of Action		0.70
Goal-Driven Planning		0.60
Self-Modification		0.20
Dynamic Tool Use		0.80
Persistent Memory		0.50
Contextual Awareness		0.80
Dynamic Identity		0.40
Multi-Agent Interactions		0.70
Non-Determinism		0.60
Opacity & Reflexivity		0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Supports multiple external foundation models (GPT, Claude, Mistral, Llama). This multi-model approach exposes the platform to model-specific prompt injection vulnerabilities, adversarial exploitation, and inconsistent alignment behaviors across different model providers.

L2 · Data Operations✓ mapped

Agents are trained on internal company data and knowledge hubs. This introduces severe risks of knowledge-base poisoning, unauthorized data access, and embedding inversion if sensitive corporate documents are ingested without strict access controls.

L3 · Agent Frameworks✓ mapped

Features a no-code agent builder with tool-connected workflows (HubSpot, Notion, Airtable). Insecure tool integration or prompt injection could allow an attacker to abuse these connections to read, modify, or delete critical business data.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — There is no mention of how API keys for third-party integrations (HubSpot, Airtable, etc.) are securely stored, or whether agent execution environments are sandboxed to prevent lateral movement.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The description lacks details regarding real-time monitoring, execution logging, or guardrails to detect and intercept malicious tool calls or anomalous agent behaviors.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — While team collaboration and shared agents are supported, the listing does not specify if role-based access control (RBAC), enterprise single sign-on (SSO), or compliance audits (e.g., SOC2) are enforced.

L7 · Agent Ecosystem✓ mapped

Supports an 'AI workforce' with shared agents and collaborative workflows. This ecosystem is vulnerable to cascading failures and trust abuse, where a compromised agent could trigger malicious actions across other connected agents or shared knowledge hubs.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).