download-gemini-images — agentic threat model
This agent drives a local browser session using a logged-in Chrome state to extract and download images, presenting a high risk of session hijacking, local file system exposure, and unauthorized data exfiltration if compromised.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.80 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The agent relies on Gemini for the conversation context, but the specific underlying foundation model and its alignment controls are not detailed in this local browser-driving skill.
The agent extracts image data from active Gemini sessions and writes files directly to the local file system. This introduces risks of local data leakage, directory traversal, or writing malicious payloads to the host disk.
The orchestration framework drives a browser session and interacts with the DOM. Insecure tool integration or DOM injection could allow an attacker to hijack the browser automation to perform unauthorized actions within the logged-in Google account.
The agent runs locally using the user's logged-in Chrome state. This lacks sandboxing, exposing the user's active session cookies, local storage, and local file system to potential compromise if the agent's code is malicious or exploited.
Not certain from the listing — There is no mention of logging, execution guardrails, or run-time monitoring to detect if the browser automation is steered toward unauthorized domains or sensitive user data.
The agent inherits the identity and active authentication state of the user's Chrome browser without additional authorization boundaries, violating the principle of least privilege by accessing the full Google/Gemini session.
As a community-contributed open-source skill, there is a risk of supply chain compromise or malicious updates in the repository, which could turn the browser-driving capability into a credential harvester.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).