AgentReadyHomeAgent Listing

← Trefundo AI

Trefundo AI — agentic threat model

9.4AIVSS 9.4 · Critical

Trefundo AI exhibits high agentic risk due to its autonomous negotiation capabilities, handling of sensitive financial and booking data, and potential to execute transactions (refunds, resales) on behalf of users without explicit real-time human-in-the-loop validation.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.88Factor sum 5.6/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.80
Self-Modification
0.10
Dynamic Tool Use
0.70
Persistent Memory
0.60
Contextual Awareness
0.70
Dynamic Identity
0.60
Multi-Agent Interactions
0.20
Non-Determinism
0.70
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely utilizes commercial LLMs fine-tuned or prompted for negotiation. Primary threats include prompt injection during email/chat negotiations, which could trick the model into leaking user PII or accepting unfavorable terms.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — processes highly sensitive user data including booking confirmations, identity details, and potentially payment info. Threats include data exfiltration of PII and unauthorized access to historical booking records.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — orchestrates multi-step negotiation strategies, legal analysis, and resale actions. Insecure tool integration is a major threat, where an attacker could manipulate the agent into canceling bookings without refunds or redirecting resale payouts.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — operates 24/7, requiring robust cloud hosting. Key threats include the exposure of API credentials for email dispatch, booking platforms, or resale marketplaces.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — requires strict guardrails to monitor negotiation behavior and prevent the agent from making fraudulent legal claims or agreeing to terms that violate user preferences.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — must comply with privacy regulations (GDPR/CCPA) and financial standards (PCI-DSS) if handling refunds. The primary risk is the lack of explicit, verifiable authorization mechanisms allowing the agent to legally act as a proxy for the user.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — interacts with external hotel APIs, customer service chatbots, and resale marketplaces. Threats include cascading failures if external platforms block the agent or if it interacts with malicious automated systems.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).