AgentReadyHomeAgent Listing

← Semantic Kernel

Semantic Kernel — agentic threat model

8.4AIVSS 8.4 · High

Semantic Kernel is a highly flexible, open-source orchestration framework whose agentic risk is driven by its powerful Planner and Plugin systems, which can execute arbitrary code or APIs if prompt injection or planner manipulation occurs.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.83Factor sum 5.5/10Threat ×1.0Mitigation ×0.9
Autonomy of Action
0.60
Goal-Driven Planning
0.80
Self-Modification
0.20
Dynamic Tool Use
0.70
Persistent Memory
0.60
Contextual Awareness
0.70
Dynamic Identity
0.30
Multi-Agent Interactions
0.40
Non-Determinism
0.70
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Acts as an integration layer for external foundation models (OpenAI, Azure OpenAI, Hugging Face). It is inherently vulnerable to upstream model threats like prompt injection, adversarial reprogramming, and model-level data leakage.

L2 · Data Operations✓ mapped

Provides memory abstractions and connectors for data sources and vector stores. Risks include data exfiltration via prompt injection and potential knowledge-base poisoning if untrusted data is ingested into the memory connectors.

L3 · Agent Frameworks✓ mapped

This is the core risk area. The framework's Planner and Plugin systems allow LLMs to dynamically select and execute functions. Insecure tool integration or planner manipulation could lead to unauthorized function execution or remote code execution.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — As an SDK embedded in C#, Java, or Python applications, deployment security, sandboxing of plugins, and secrets management depend entirely on the host application's infrastructure.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — While the SDK provides abstractions for logging and telemetry, the listing does not specify built-in guardrails, drift detection, or automated evaluation mechanisms.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Compliance, identity management, and authorization controls are delegated to the developer implementing the SDK and the underlying cloud providers (e.g., Azure).

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — The listing focuses on single-agent planners and plugins; multi-agent orchestration and ecosystem-level trust boundaries are not explicitly detailed.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).