AgentReadyHomeAgent Listing

← Rig

Rig — agentic threat model

7.7AIVSS 7.7 · High

Rig is a high-performance Rust framework that mitigates traditional memory-safety vulnerabilities but introduces agentic risks through its support for multi-agent orchestration and RAG integrations, requiring developers to implement their own sandboxing and guardrails.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 1.07Factor sum 4.3/10Threat ×1.0Mitigation ×0.9
Autonomy of Action
0.40
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.50
Persistent Memory
0.40
Contextual Awareness
0.60
Dynamic Identity
0.20
Multi-Agent Interactions
0.70
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Rig provides a unified LLM interface across multiple providers. Threats include API key exposure, prompt injection bypassing the unified abstraction, and reliance on external provider security postures.

L2 · Data Operations✓ mapped

Rig features seamless vector store integration and flexible embedding support. This introduces risks of vector database injection, data exfiltration via RAG pipelines, and unauthorized access to the underlying knowledge bases.

L3 · Agent Frameworks✓ mapped

As an orchestration framework, Rig manages agent workflows and tool calling. While Rust's type safety mitigates memory corruption, logical vulnerabilities in tool integration, state management, and memory poisoning remain key threats.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — Rig is a library/framework, meaning deployment and infrastructure security (sandboxing, secrets management, network isolation) are entirely dependent on the developer's implementation.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The description does not mention built-in evaluation, logging, guardrails, or observability features, leaving developers to integrate third-party monitoring tools.

L6 · Security & Compliance (cross-cutting)✓ mapped

Rig leverages Rust's compile-time safety and type-safe LLM interactions to prevent common software vulnerabilities, but it does not specify built-in authentication, authorization, or compliance policies.

L7 · Agent Ecosystem✓ mapped

Rig explicitly supports multi-agent setups. This introduces risks of cascading failures, trust abuse between agents, and complex coordination exploits within the agent ecosystem.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).