TariffCatalog — agentic threat model
TariffCatalog presents moderate agentic risk due to its integration with e-commerce platforms (Shopify, WooCommerce, Amazon) and its role in calculating financial duties and drafting customs documents, though it operates primarily as a read-heavy, advisory tool.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.50 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — relies on underlying LLMs for HS code classification and document drafting, making it vulnerable to prompt injection that could misclassify goods to evade tariffs or manipulate duty estimations.
Processes product catalogs (Shopify, WooCommerce, Amazon, CSV). Vulnerable to data poisoning if malicious product descriptions are injected to force incorrect HS code mappings or exploit parsing logic.
Orchestrates catalog ingestion, HS code lookup, and document drafting. Risks include insecure tool integration with e-commerce APIs and potential injection via malformed catalog data leading to unauthorized API calls.
Not certain from the listing — requires secure storage of e-commerce API keys and credentials. Insecure deployment could lead to credential theft or unauthorized access to the connected Shopify/WooCommerce/Amazon stores.
Not certain from the listing — requires robust logging and guardrails to detect systematic misclassifications or anomalous duty estimations that could indicate exploitation or model drift.
Not certain from the listing — handling of commercial catalog data and customs documentation requires strict compliance with trade regulations and data privacy standards, but specific compliance certifications are not detailed.
Interacts with external e-commerce ecosystems (Shopify, WooCommerce, Amazon). Vulnerabilities in these third-party platforms or their API integrations could expose the agent to cascading security failures.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology — every score is re-derived by the same automated method as an agent's public evidence changes.