ClearWork Discovery Agent — agentic threat model
The ClearWork Discovery Agent presents a high data-privacy and integrity risk due to its deep ingestion of sensitive organizational documentation and its autonomous execution of employee interviews. The primary threat vectors involve document-based prompt injection and the potential exfiltration or poisoning of the generated organizational knowledge graph.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.50 | |
| Persistent Memory | 0.70 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely relies on commercial LLMs for document analysis and conversational interview generation. Threats include prompt injection via ingested documents or user interview responses, which could hijack the agent's logic or cause misaligned outputs.
Ingests existing documentation, process descriptions, and builds a persistent knowledge graph. This creates significant exposure to data poisoning (maliciously formatted documents corrupting the graph) and unauthorized data exfiltration of sensitive corporate IP.
Orchestrates document ingestion, gap identification, and interview execution. Vulnerabilities include insecure tool integration with the knowledge graph database and potential manipulation of the interview planning logic via adversarial inputs.
Not certain from the listing — likely hosted as a closed-source SaaS. Threats include insecure storage of ingested corporate documents, lack of tenant isolation, and potential privilege escalation if the hosting environment is compromised.
Not certain from the listing — no mention of monitoring, guardrails, or evaluation frameworks. This creates risks of conversational drift during automated interviews and undetected hallucinations in the final current state analysis.
Not certain from the listing — handling proprietary corporate data and conducting employee interviews requires strict RBAC, data privacy compliance, and audit logging, none of which are detailed in the public listing.
Not certain from the listing — operates primarily as a standalone workflow agent, but may integrate with enterprise communication platforms (e.g., Slack, Teams) to conduct interviews, introducing risks of unauthorized horizontal access or trust abuse in those ecosystems.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).