AgentReadyHomeAgent Listing

← EPA608Pass

EPA608Pass — agentic threat model

3.8AIVSS 3.8 · Low

EPA608Pass is a low-risk educational platform with minimal to no agentic capabilities, primarily serving as a structured study tool for HVAC certification. Its security risks are aligned with standard web applications rather than autonomous AI agents.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 3.5AARS uplift 0.29Factor sum 0.5/10Threat ×0.9Mitigation ×1.0
Autonomy of Action
0.00
Goal-Driven Planning
0.00
Self-Modification
0.00
Dynamic Tool Use
0.00
Persistent Memory
0.10
Contextual Awareness
0.10
Dynamic Identity
0.00
Multi-Agent Interactions
0.00
Non-Determinism
0.20
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing does not explicitly state if LLMs are used to generate explanations or questions. If an LLM is used, threats include prompt injection leading to incorrect regulatory advice or model output manipulation.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The application relies on a database of 500+ practice questions and flashcards. Threats include database tampering, unauthorized modification of exam content, or exfiltration of user progress data.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — The platform likely operates as a traditional web application rather than using an agentic orchestration framework. There are no dynamic tools or complex planning capabilities to exploit.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — Standard web hosting infrastructure is assumed. Threats are limited to typical web application vulnerabilities (e.g., cross-site scripting, broken authentication) rather than sandbox escapes or container compromise.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No observability or LLM guardrails are mentioned. If LLMs are used for dynamic explanations, there is a risk of unmonitored hallucinations regarding EPA regulations.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No specific security compliance frameworks (such as SOC2) or advanced identity controls are mentioned. Standard user authentication is expected.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — The agent operates in isolation as a standalone educational tool with no multi-agent or ecosystem integrations described.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).