AgentReadyHomeAgent Listing

← VacAIgent

VacAIgent — agentic threat model

7.9AIVSS 7.9 · High

VacAIgent presents a low-to-moderate risk profile as a local travel planner, but its multi-agent architecture (CrewAI) introduces risks of agent-to-agent trust abuse and prompt injection, compounded by a lack of sandboxing in its Streamlit deployment.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.3AARS uplift 1.63Factor sum 4.4/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.50
Goal-Driven Planning
0.70
Self-Modification
0.10
Dynamic Tool Use
0.30
Persistent Memory
0.30
Contextual Awareness
0.50
Dynamic Identity
0.10
Multi-Agent Interactions
0.80
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Uses GPT-4, GPT-3.5, and local models via Ollama. Primary threats include prompt injection leading to hijacked itineraries, or model manipulation if using untrusted local Ollama models.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — the data operations layer is not detailed, but likely involves processing user-provided preferences and potentially caching destination data. Risks include injection of malicious payloads via user inputs.

L3 · Agent Frameworks✓ mapped

Uses the CrewAI framework for orchestration. Threats include insecure tool execution, prompt injection bypassing agent boundaries, and cascading failures in agent planning.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — deployment is likely self-hosted via Streamlit (local or Streamlit Community Cloud). Risks include exposed Streamlit ports, lack of sandboxing for local execution, and insecure storage of OpenAI API keys.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no built-in evaluation or observability framework is mentioned. Lack of monitoring could lead to undetected prompt injections or agent loop failures.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — as an open-source travel planning tool, it lacks formal identity, authorization, or compliance controls, relying entirely on the host environment's security.

L7 · Agent Ecosystem✓ mapped

Uses CrewAI multi-agent collaboration. Threats include agent-to-agent trust abuse, where a compromised 'destination researcher' agent feeds malicious data to the 'itinerary planner' agent, leading to downstream exploitation.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).