AgentReadyHomeAgent Listing

← Martin

Martin — agentic threat model

9.9AIVSS 9.9 · Critical

Martin exhibits a high-risk agentic profile due to its deep integration with sensitive communication channels (Slack, WhatsApp, email, phone) and its ability to autonomously execute actions like sending messages and making calls. The lack of visible security controls combined with susceptibility to indirect prompt injection via incoming messages presents a significant threat of unauthorized data access and social engineering.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.14Factor sum 6.5/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.70
Self-Modification
0.30
Dynamic Tool Use
0.90
Persistent Memory
0.80
Contextual Awareness
0.80
Dynamic Identity
0.70
Multi-Agent Interactions
0.20
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely utilizes commercial LLMs for advanced voice and text processing. Primary threats include prompt injection via incoming emails or Slack messages, which could hijack the model's instructions.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — stores user history, calendar data, and inbox contents to build long-term context. This creates a high-value target for data exfiltration and vector database/memory poisoning.

L3 · Agent Frameworks✓ mapped

Orchestrates highly sensitive tools including email, Slack, SMS, and phone calls. Insecure tool integration could allow an attacker to trigger unauthorized outbound communications or data deletion via indirect prompt injection.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — deployed as an iOS and web application. The infrastructure must securely store highly sensitive OAuth tokens for third-party integrations (Google, Microsoft, Slack); compromise of these secrets would grant full access to user accounts.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no details are provided regarding output filtering, voice call monitoring, or guardrails to prevent the agent from being manipulated into making fraudulent calls or sending spam.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — requires broad read/write permissions across personal and professional communication channels, but lacks visible security certifications (e.g., SOC2) or granular user-defined access policies.

L7 · Agent Ecosystem✓ mapped

Operates directly within multi-user ecosystems (Slack, WhatsApp, email). It is highly vulnerable to ecosystem-based threats where external malicious actors send messages designed to exploit the agent's autonomous capabilities.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).