Skail — agentic threat model

7.9AIVSS 7.9 · High

Skail presents a high-risk profile due to its ability to autonomously send emails as a 'digital clone' of the user and its deep integration with sensitive CRM systems like Salesforce and HubSpot, making it a prime target for business email compromise (BEC) and data exfiltration.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM

CVSS base 8.5AARS uplift 0.82Factor sum 5.2/10Threat ×1.05Mitigation ×0.85

Autonomy of Action		0.80
Goal-Driven Planning		0.40
Self-Modification		0.20
Dynamic Tool Use		0.70
Persistent Memory		0.60
Contextual Awareness		0.80
Dynamic Identity		0.50
Multi-Agent Interactions		0.10
Non-Determinism		0.60
Opacity & Reflexivity		0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — uses a proprietary model to learn writing styles. Threats include model stealing of the style-cloning weights, adversarial prompt injection to bypass content safety filters, and poisoning of the style-learning process to generate malicious or offensive emails.

L2 · Data Operations✓ mapped

Integrates directly with Salesforce, HubSpot, and external datasets. This introduces severe risks of CRM data exfiltration, unauthorized access to sensitive customer records, and data poisoning of the context-enrichment pipeline.

L3 · Agent Frameworks✓ mapped

Orchestrates email drafting and autonomous dispatch. Vulnerable to prompt injection attacks that could hijack the tool-calling mechanism to send unauthorized, malicious, or phishing emails directly to CRM contacts.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — hosted as a closed-source paid service. Key threats include insecure storage of CRM API keys/secrets and potential container compromise leading to lateral movement within the hosting infrastructure.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no explicit mention of monitoring, logging, or guardrails. The lack of observability could lead to undetected drift in the 'digital clone' behavior or silent failures in autonomous email sending.

L6 · Security & Compliance (cross-cutting)✓ mapped

Claims to be 'Privacy-Focused' with secure data handling. However, acting as a digital clone to send emails autonomously raises significant compliance risks (GDPR, CAN-SPAM) and requires strict identity verification and audit logging.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — no explicit multi-agent marketplace interactions are described. However, integration with external CRM ecosystems creates a horizontal trust boundary risk where a compromise in one system affects the other.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).