Mezi — agentic threat model

5.8AIVSS 5.8 · Medium

Mezi is a low-risk, RAG-based educational chatbot with limited autonomy, primarily presenting risks related to proprietary data exfiltration (course PDFs/videos) and prompt injection or jailbreaking by students.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM

CVSS base 6.1AARS uplift 0.7Factor sum 1.8/10Threat ×1.0Mitigation ×0.85

Autonomy of Action		0.20
Goal-Driven Planning		0.10
Self-Modification		0.00
Dynamic Tool Use		0.10
Persistent Memory		0.20
Contextual Awareness		0.40
Dynamic Identity		0.00
Multi-Agent Interactions		0.00
Non-Determinism		0.50
Opacity & Reflexivity		0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Powered by GPT-4. Main threats include prompt injection to bypass course boundaries, jailbreaking to extract system prompts, and generating misaligned or inappropriate outputs to students.

L2 · Data Operations✓ mapped

Processes uploaded course videos and PDFs for RAG. Threats include document-based prompt injection (poisoning the knowledge base with malicious instructions embedded in PDFs) and unauthorized exfiltration of proprietary course materials via clever student querying.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — the specific orchestration framework (e.g., LangChain, LlamaIndex) is not disclosed. Potential threats include insecure document parsing of uploaded PDFs/videos and lack of input sanitization before querying the vector database.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — details regarding the hosting environment, cloud provider, and sandboxing of the PDF/video processing pipeline are omitted, leaving potential risks of server-side request forgery (SSRF) or container escape during document ingestion.

L5 · Evaluation & Observability✓ mapped

Provides analytics on student engagement, geographic tracking, and time saved. However, there is no mention of security-specific observability, such as logging prompt injection attempts or monitoring for drift and anomalous query patterns.

L6 · Security & Compliance (cross-cutting)✓ mapped

Features password-protected links to restrict access to authorized students. However, compliance with student privacy regulations (such as FERPA or GDPR) regarding the collection of student IP/location data is not detailed.

L7 · Agent Ecosystem✓ mapped

Operates as an isolated, single-agent chatbot. There are no multi-agent interactions or external marketplace integrations described, minimizing ecosystem-level cascading risks.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).