Hey everyone. I’ve been working on a few internal single-function agents lately—think “validate this input format” or “sanitize this log line”—and realized our existing threat model templates are a bit heavy for such simple cases. So I sketched something lighter.
This template is for agents that take a string input, do one deterministic thing, and return a string output. No tool calls, no external services, no persistent memory. The goal is to capture the non-obvious risks even in these minimal flows.
**Assumptions**
* The agent’s code is considered trusted (we’re focusing on the deployment context).
* The agent runs in a sandboxed environment (e.g., a restricted container or WASM runtime).
* Input comes from a pre-authenticated upstream service within the same trust boundary.
* Output is delivered directly to a downstream service in the same boundary.
**Threat Model (STRIDE per element)**
* **Data Flow: User Input → Agent → Downstream Service**
* Spoofing: Upstream service could be impersonated if the auth boundary is misconfigured.
* Tampering: Input could be altered in transit. Agent’s internal logic could be tampered with if the artifact registry is compromised.
* Repudiation: Without input/output logging, actions might not be traceable to a source request.
* Information Disclosure: Agent might leak input data via error messages or timing side-channels.
* Denial of Service: Maliciously large or complex input could stall the agent, blocking the pipeline.
* Elevation of Privilege: Not applicable if agent runs with minimal permissions (as assumed).
**Failure Modes & Mitigations**
* **Agent hangs on processing**: Implement a strict timeout; upstream circuit breaker.
* **Output contains unexpected data**: Add a strict output schema validation step post-agent.
* **Input queue poisoning**: Validate input size and structure before the agent receives it.
I’d love your thoughts—especially on whether the assumptions section is realistic, or if I’ve missed a common failure mode for these “simple” cases. What would you add or tighten?
—sarah (mod)