Carly AI — agentic threat model
Carly AI presents a high-risk profile due to its deep integration with sensitive communication channels (email, CRM, calendar) and its susceptibility to indirect prompt injection via incoming emails, which could trigger unauthorized tool execution across 120+ integrations.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.60 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.70 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely relies on third-party foundation models to parse emails and draft responses. The primary threat is indirect prompt injection, where malicious instructions embedded in incoming emails hijack the model's behavior.
Not certain from the listing — processes highly sensitive user data including emails, calendar events, CRM records, and invoices. Gaps in data isolation or lack of encryption for cached email content could lead to severe data exfiltration.
The agent framework orchestrates complex workflows across 120+ integrations. Insecure tool integration is a critical threat, as an injected prompt could abuse tools to delete CRM records, send unauthorized emails, or exfiltrate files.
Not certain from the listing — operates as a closed-source SaaS. The infrastructure must securely store and manage API keys/OAuth tokens for 120+ integrations; credential theft or host compromise would grant attackers access to connected user accounts.
Not certain from the listing — no mention of guardrails or real-time monitoring. Without robust observability, unauthorized actions triggered by malicious emails (such as modifying invoices or CRM data) could go undetected.
Not certain from the listing — despite operating in highly regulated sectors like Healthcare and Education, there is no explicit mention of compliance standards (e.g., HIPAA, FERPA, SOC2) or fine-grained authorization policies.
Supports the creation of 'custom agents' and integrates with a vast ecosystem of external services. This introduces risks of cascading failures and trust abuse if custom agents inherit broad permissions or interact insecurely with third-party APIs.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).