Teammates.ai — agentic threat model

9.6AIVSS 9.6 · Critical

Teammates.ai presents a high-risk agentic profile due to its end-to-end autonomy, multi-agent architecture, and deep integration with sensitive business systems (CRMs, e-commerce, ticketing) including financial capabilities like issuing refunds. The lack of visible security guardrails combined with public-facing omnichannel inputs (voice, email, chat) significantly amplifies the potential for prompt injection and unauthorized transactional execution.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM

CVSS base 8.5AARS uplift 1.13Factor sum 7.2/10Threat ×1.05Mitigation ×1.0

Autonomy of Action		0.90
Goal-Driven Planning		0.80
Self-Modification		0.30
Dynamic Tool Use		0.80
Persistent Memory		0.70
Contextual Awareness		0.80
Dynamic Identity		0.50
Multi-Agent Interactions		0.90
Non-Determinism		0.70
Opacity & Reflexivity		0.80

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying foundation models are not specified. However, the agent's multilingual capabilities (50+ languages/dialects) and omnichannel inputs (voice, email, chat) expose it to adversarial prompt injection, language-specific bypasses, and voice-spoofing/reprogramming attacks.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — While the agent integrates with 30+ CRMs and e-commerce platforms, the listing does not detail its internal data operations, vector stores, or RAG mechanisms. The primary threat is the exfiltration or poisoning of sensitive customer and transactional data stored within these connected systems.

L3 · Agent Frameworks✓ mapped

The agent uses a proprietary multi-agent framework with 30+ native connectors to execute workflows like issuing refunds and resolving tickets. This creates a high risk of tool misuse, insecure tool integration, and unauthorized transaction execution if the agent is manipulated via malicious user inputs.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — No details are provided regarding hosting, sandboxing, or secrets management. Given the 30+ integrations, insecure storage of API keys or credentials for CRMs and e-commerce platforms represents a critical infrastructure threat.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The agent features 'Real-Time Learning' and trend monitoring to escalate issues, but specific evaluation guardrails, logging mechanisms, or drift detection systems are not described, leaving potential blind spots in operational monitoring.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Despite handling highly sensitive customer data, e-commerce transactions, and CRM records, the listing does not mention any compliance certifications (e.g., SOC2, GDPR) or specific identity and access management policies.

L7 · Agent Ecosystem✓ mapped

The system is explicitly built on a proprietary, advanced multi-agent architecture where multiple 'Teammates' coordinate to manage entire job roles. This introduces risks of agent-to-agent trust abuse, cascading failures across agent workflows, and horizontal privilege escalation between different agent roles.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).