Open Human — agentic threat model
OpenHuman presents a unique risk profile: while its local-first, privacy-centric architecture significantly reduces cloud-based data exfiltration vectors, its deep integration with personal emails, messages, and notes combined with a multi-agent 'Council of Agents' architecture creates a high-impact surface for local memory poisoning and cross-agent trust abuse.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 0.50 | |
| Persistent Memory | 0.90 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.70 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The specific foundation models used locally are not disclosed. Threats include model reprogramming or adversarial prompt injection via ingested local files, emails, or messages, which could manipulate the local LLM's behavior.
The agent builds a persistent knowledge base from highly sensitive personal data (emails, messages, notes) stored locally. The primary threat is local data/knowledge-base poisoning, where malicious incoming emails or messages inject adversarial context into the vector store, leading to persistent manipulation of the agent's memory.
The framework orchestrates persistent memory and proactive intelligence. Threats include memory poisoning and insecure tool integration, particularly if the proactive intelligence engine automatically triggers actions or tool executions based on poisoned local context without explicit user confirmation.
The agent runs locally on-device ('no terminal, no API keys, no setup'). While this eliminates cloud hosting risks, it introduces local host compromise and privilege escalation threats if the application binary contains vulnerabilities or lacks proper sandboxing from other local processes.
Not certain from the listing — There is no mention of local evaluation, guardrails, or observability logging. The lack of visible guardrails creates a blind spot where poisoned local memory or malicious inputs can silently degrade agent behavior over time.
The agent emphasizes a 'privacy-first' and 'local/private data handling' posture, which aligns with data minimization principles. However, there is no mention of formal compliance frameworks (e.g., SOC2) or local access control mechanisms to prevent unauthorized local users from accessing the stored knowledge base.
The agent features a 'Council of Agents'. This multi-agent architecture introduces risks of agent-to-agent (A2A) trust abuse, where a single compromised or poisoned sub-agent within the council propagates malicious instructions or corrupted data to other agents, causing cascading failures in reasoning.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology — every score is re-derived by the same automated method as an agent's public evidence changes.