AgentReadyHomeAgent Listing

← DearFlow

DearFlow — agentic threat model

9.5AIVSS 9.5 · Critical

DearFlow (Flora) presents a high-risk profile due to its deep integration with sensitive user channels (email, calendar, documents) and its proactive execution capabilities, making it highly vulnerable to indirect prompt injection via incoming emails.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.74Factor sum 5.9/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.60
Self-Modification
0.30
Dynamic Tool Use
0.80
Persistent Memory
0.80
Contextual Awareness
0.80
Dynamic Identity
0.50
Multi-Agent Interactions
0.10
Non-Determinism
0.60
Opacity & Reflexivity
0.70

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying foundation models are unspecified. The primary threat is indirect prompt injection, where malicious instructions embedded in incoming emails hijack the model's output generation or tool-calling behavior.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The agent acts as a 'Documents Keeper' and monitors emails/calendars, implying local storage or vector databases for user data. Threats include unauthorized data exfiltration of sensitive documents and lack of data lineage controls.

L3 · Agent Frameworks✓ mapped

Flora orchestrates email monitoring, auto-drafting, and inbox cleanup. The orchestration framework is highly vulnerable to tool misuse (e.g., deleting emails or unsubscribing from legitimate services) triggered by adversarial email content.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting and sandboxing environment for this closed-source, freemium SaaS is unknown. A compromise at this layer could expose OAuth tokens allowing full access to users' inbox and calendar providers.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of real-time guardrails, input filtering, or transaction logging to detect and block malicious prompt injections before they trigger automated email drafts or cleanup actions.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent requires extensive read/write/delete OAuth permissions to manage emails, calendars, and documents. As a closed-source freemium tool with no cited security compliance (e.g., SOC2), it poses significant supply-chain and data-privacy risks.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — While primarily a single-agent assistant, it operates within the broader email ecosystem, making it a target for external automated agents sending malicious payloads to trigger cascading actions in the user's inbox.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).