AgentReadyHomeAgent Listing

← dispatching-parallel-agents

dispatching-parallel-agents — agentic threat model

9.4AIVSS 9.4 · Critical

This agent acts as a high-consequence multi-agent orchestrator that programmatically spawns subagents with custom instructions. Its primary risk lies in prompt injection propagating malicious instructions to multiple isolated subagents, potentially leading to parallelized unauthorized tool or file access.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.89Factor sum 5.9/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.70
Self-Modification
0.30
Dynamic Tool Use
0.60
Persistent Memory
0.10
Contextual Awareness
0.80
Dynamic Identity
0.30
Multi-Agent Interactions
1.00
Non-Determinism
0.60
Opacity & Reflexivity
0.70

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The specific foundation models used to drive the orchestrator and subagents are not disclosed, leaving risks like model reprogramming or adversarial prompt injection unquantified at the model level.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — While the agent controls what files subagents touch and isolates session history, the underlying data storage, vector databases, or retrieval mechanisms are not specified.

L3 · Agent Frameworks✓ mapped

The framework dynamically crafts instructions and dispatches subagents. This introduces severe risks of prompt injection where malicious input in a failure report could hijack the instruction-crafting template, leading to unauthorized tool execution by subagents.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — Although 'isolated-context' is mentioned, it is unclear whether this isolation is enforced at the logical application layer or via secure infrastructure-level sandboxing (e.g., microVMs, gVisor).

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of evaluation frameworks, real-time monitoring, or guardrails to detect when a dispatched subagent has been compromised or is behaving anomalously.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The directory listing does not specify any identity management, access control policies, or compliance audits governing how subagents inherit or restrict permissions.

L7 · Agent Ecosystem✓ mapped

This agent is highly exposed to ecosystem risks. A single compromised orchestrator can spawn multiple rogue subagents, leading to cascading failures, parallelized resource exhaustion, and lateral trust abuse across the toolsets they access.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).