HeyLibbyAI — agentic threat model

8.8AIVSS 8.8 · High

HeyLibbyAI presents a moderate-to-high risk profile due to its autonomous, omnichannel communication capabilities (SMS, calls, emails) and direct integrations with critical business systems like Salesforce and Google Sheets. A compromise could lead to automated phishing, data exfiltration, and brand damage through unauthorized outbound campaigns.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM

CVSS base 7.5AARS uplift 1.29Factor sum 4.9/10Threat ×1.05Mitigation ×1.0

Autonomy of Action		0.80
Goal-Driven Planning		0.60
Self-Modification		0.10
Dynamic Tool Use		0.70
Persistent Memory		0.50
Contextual Awareness		0.60
Dynamic Identity		0.20
Multi-Agent Interactions		0.20
Non-Determinism		0.70
Opacity & Reflexivity		0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Uses ChatGPT and ElevenLabs for conversational AI and voice generation. Threats include adversarial prompt injection to bypass brand-aligned guidelines, model reprogramming to output malicious content, and voice cloning abuse.

L2 · Data Operations✓ mapped

Integrates with Salesforce, HoneyBook, and Google Sheets to manage customer leads and scheduling. Threats include data exfiltration of sensitive CRM records via prompt injection and unauthorized modification of lead sheets.

L3 · Agent Frameworks✓ mapped

Orchestrates multi-channel communication, lead qualification, and scheduling. Threats include insecure tool integration where an attacker manipulates the agent into executing unauthorized API calls to connected CRMs or scheduling systems.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — details regarding hosting, secrets management for API keys (OpenAI, ElevenLabs, Salesforce), and sandboxing are not specified. Compromise of these secrets would grant full access to integrated business accounts.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — while sentiment analysis is mentioned, there is no explicit detail on real-time guardrails, drift detection, or logging mechanisms to detect and block malicious prompt injections or abusive inputs.

L6 · Security & Compliance (cross-cutting)✓ mapped

Offers white-labeling for resellers and handles outbound marketing. Threats include tenant isolation failures in reseller environments and compliance violations (e.g., TCPA, GDPR) if the agent is manipulated into sending spam or unauthorized outbound calls.

L7 · Agent Ecosystem✓ mapped

Integrates directly with external platforms like Salesforce and HoneyBook. Threats include cascading failures where a compromise in the agent's ecosystem allows lateral movement or unauthorized data synchronization into the client's primary business tools.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).