google-ai-mode-skill — agentic threat model
The google-ai-mode-skill presents a moderate risk profile, primarily driven by its ability to write local markdown files and its reliance on external, untrusted web data retrieved via Google AI Search, making it vulnerable to indirect prompt injection and path traversal.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.20 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — uses Google's AI Search models (likely Gemini/PaLM variants) which are susceptible to prompt injection, adversarial examples, and misaligned outputs, but the specific model is abstracted.
The skill retrieves real-time data from 100+ websites via Google AI Search. This introduces risks of data poisoning (malicious web content ingested into the overview) and indirect prompt injection from external web pages.
The skill automates outbound queries and writes a markdown results file. Risks include insecure tool integration (e.g., path traversal if the markdown file write path is user-controlled) and tool misuse.
Not certain from the listing — as an open-source 'skill', deployment depends on the host environment. Risks include lack of sandboxing when writing files to the local disk and potential exposure of Google API keys/credentials.
Not certain from the listing — zero-config setup suggests minimal built-in logging, guardrails, or evaluation metrics, creating blind spots for prompt injection or malicious content retrieval.
Not certain from the listing — being an open-source skill, it lacks explicit compliance certifications (like SOC2) or built-in authorization policies, relying entirely on the host application's security posture.
Not certain from the listing — does not explicitly mention multi-agent orchestration or marketplace interactions, though as a 'skill' it may be imported into larger agentic workflows, risking cascading failures if it returns poisoned data.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).