AgentReadyHomeAgent Listing

← video-comparer

video-comparer — agentic threat model

7.7AIVSS 7.7 · High

The video-comparer agent presents a low agentic risk due to its narrow, deterministic scope, but carries traditional software security risks related to executing system binaries (ffmpeg) and generating HTML reports from untrusted video inputs.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.22Factor sum 0.9/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.30
Persistent Memory
0.00
Contextual Awareness
0.10
Dynamic Identity
0.00
Multi-Agent Interactions
0.00
Non-Determinism
0.10
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the description focuses on ffmpeg-based metric computation and HTML generation; it is unclear if or how an LLM is directly orchestrating this skill or if it is purely code-based.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — video inputs are processed locally to compute PSNR/SSIM, but there is no mention of vector databases, training data, RAG, or persistent data stores.

L3 · Agent Frameworks✓ mapped

The skill integrates ffmpeg and file-writing tools. Threats include insecure tool integration, such as command injection via maliciously crafted video filenames or arguments passed to ffmpeg, and arbitrary file writes when generating the HTML report.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — as an open-source skill, deployment depends on the host environment. If unsandboxed, running ffmpeg on untrusted user-uploaded videos poses a risk of container/host compromise via known codec vulnerabilities.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there are no mentioned logging, guardrails, or drift detection mechanisms for monitoring the execution of the ffmpeg command or HTML generation.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — no authentication, authorization, or access control policies are described for restricting who can run the comparison or access the generated HTML reports.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — this is a standalone utility skill with no indicated multi-agent interactions or marketplace dependencies.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).