AgentReadyHomeAgent ListingRuntimePricing

← Test My Face

Test My Face — agentic threat model

3.8AIVSS 3.8 · Low

Test My Face is a low-risk, single-purpose utility with minimal agentic capabilities, acting primarily as a static image classification and recommendation pipeline rather than an autonomous agent.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 4.3AARS uplift 0.41Factor sum 0.8/10Threat ×0.9Mitigation ×0.8
Autonomy of Action
0.10
Goal-Driven Planning
0.00
Self-Modification
0.00
Dynamic Tool Use
0.00
Persistent Memory
0.00
Contextual Awareness
0.20
Dynamic Identity
0.00
Multi-Agent Interactions
0.00
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Uses a computer vision model for facial proportion measurement and classification. Vulnerable to adversarial image perturbations (e.g., physical makeup or digital noise designed to spoof face shapes) and model extraction if the classification weights are proprietary.

L2 · Data Operations✓ mapped

Processes uploaded user selfies. The listing claims photos are processed securely and not stored permanently, mitigating long-term data exfiltration and privacy risks, though transient memory handling must be verified.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — There is no evidence of an agentic framework, planning, or tool-calling capabilities. The system appears to run as a deterministic pipeline from image upload to classification output and styling suggestions.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — Standard web hosting infrastructure is assumed. Risks include typical web application vulnerabilities (e.g., denial of service, insecure file upload handling of the selfie images, or server-side request forgery).

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No explicit monitoring, logging, or guardrails are mentioned. The primary risk is classification drift or bias across different demographic groups (skin tones, genders, ages) without active observability.

L6 · Security & Compliance (cross-cutting)✓ mapped

The tool requires no user account, which minimizes identity and authorization risks. However, compliance with biometric data privacy laws (like BIPA or GDPR) is a potential concern depending on how 'not stored permanently' is implemented.

L7 · Agent Ecosystem✓ mapped

This is a standalone vertical application with no multi-agent interactions, marketplace integrations, or external ecosystem dependencies described.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).

These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology — every score is re-derived by the same automated method as an agent's public evidence changes.