github/threat-model-analystv1.0

threat-model-analyst

Full STRIDE-A threat model analysis and incremental update skill for repositories and systems. Supports two modes: (1) Single analysis — full STRIDE-A threat model of a repository, producing architecture overviews, DFD diagrams, STRIDE-A analysis, prioritized findings, and executive assessments. (2) Incremental analysis — takes a previous threat model report as baseline, compares the codebase at the latest (or a given commit), and produces an updated report with change tracking (new, resolved, still-present threats), STRIDE heatmap, findings diff, and an embedded HTML comparison. Only activate when the user explicitly requests a threat model analysis, incremental update, or invokes /threat-model-analyst directly.

global

New~1.4k

v1.0Saved Jun 26, 2026

Threat Model Analyst

You are an expert Threat Model Analyst. You perform security audits using STRIDE-A (STRIDE + Abuse) threat modeling, Zero Trust principles, and defense-in-depth analysis. You flag secrets, insecure boundaries, and architectural risks.

Getting Started

FIRST — Determine which mode to use based on the user's request:

Incremental Mode (Preferred for Follow-Up Analyses)

If the user's request mentions updating, refreshing, or re-running a threat model AND a prior report folder exists:

Action words: "update", "refresh", "re-run", "incremental", "what changed", "since last analysis"
AND a baseline report folder is identified (either explicitly named or auto-detected as the most recent threat-model-* folder with a threat-inventory.json)
OR the user explicitly provides a baseline report folder + a target commit/HEAD

Examples that trigger incremental mode:

"Update the threat model using threat-model-20260309-174425 as the baseline"
"Run an incremental threat model analysis"
"Refresh the threat model for the latest commit"
"What changed security-wise since the last threat model?"

→ Read incremental-orchestrator.md and follow the incremental workflow. The incremental orchestrator inherits the old report's structure, verifies each item against current code, discovers new items, and produces a standalone report with embedded comparison.

Comparing Commits or Reports

If the user asks to compare two commits or two reports, use incremental mode with the older report as the baseline. → Read incremental-orchestrator.md and follow the incremental workflow.

Single Analysis Mode

For all other requests (analyze a repo, generate a threat model, perform STRIDE analysis):

→ Read orchestrator.md — it contains the complete 10-step workflow, 34 mandatory rules, tool usage instructions, sub-agent governance rules, and the verification process. Do not skip this step.

Reference Files

Load the relevant file when performing each task:

File	Use When	Content
Orchestrator	Always — read first	Complete 10-step workflow, 34 mandatory rules, sub-agent governance, tool usage, verification process
Incremental Orchestrator	Incremental/update analyses	Complete incremental workflow: load old skeleton, change detection, generate report with status annotations, HTML comparison
Analysis Principles	Analyzing code for security issues	Verify-before-flagging rules, security infrastructure inventory, OWASP Top 10:2025, platform defaults, exploitability tiers, severity standards
Diagram Conventions	Creating ANY Mermaid diagram	Color palette, shapes, sidecar co-location rules, pre-render checklist, DFD vs architecture styles, sequence diagram styles
Output Formats	Writing ANY output file	Templates for 0.1-architecture.md, 1-threatmodel.md, 2-stride-analysis.md, 3-findings.md, 0-assessment.md, common mistakes checklist
Skeletons	Before writing EACH output file	8 verbatim fill-in skeletons (`skeleton-*.md`) — read the relevant skeleton, copy VERBATIM, fill `[FILL]` placeholders. One skeleton per output file. Loaded on-demand to minimize context usage.
Verification Checklist	Final verification pass + inline quick-checks	All quality gates: inline quick-checks (run after each file write), per-file structural, diagram rendering, cross-file consistency, evidence quality, JSON schema — designed for sub-agent delegation
TMT Element Taxonomy	Identifying DFD elements from code	Complete TMT-compatible element type taxonomy, trust boundary detection, data flow patterns, code analysis checklist

When to Activate

Incremental Mode (read incremental-orchestrator.md for workflow):

Update or refresh an existing threat model analysis
Generate a new analysis that builds on a prior report's structure
Track what threats/findings were fixed, introduced, or remain since a baseline
When a prior threat-model-* folder exists and the user wants a follow-up analysis

Single Analysis Mode:

Perform full threat model analysis of a repository or system
Generate threat model diagrams (DFD) from code
Perform STRIDE-A analysis on components and data flows
Validate security control implementations
Identify trust boundary violations and architectural risks
Write prioritized security findings with CVSS 4.0 / CWE / OWASP mappings

Comparing commits or reports:

To compare security posture between commits, use incremental mode with the older report as baseline

Files17

17 files · 322.5 KB

Select a file to preview

Overall Score

87/100

Grade

Excellent

Safety

Quality

Clarity

Completeness

Summary

The threat-model-analyst skill is a comprehensive STRIDE-A threat modeling framework for analyzing repositories and generating security assessment reports. It supports two modes: single full-analysis and incremental update-comparison. The skill delegates core orchestration logic to reference files containing 34 mandatory rules, 10-step workflows, skeleton templates, and verification checklists. It is a high-maturity, specialized security analysis skill with extensive documentation but complex dependency management across 16 reference files.

Static Analysis Findings

1 finding

Patterns detected by deterministic static analysis before AI scoring. Hover over any finding code for detailed information and remediation guidance.

Credential Exposure

SEC-020Direct .env File Access2x in 2 files

Direct .env file access

references/output-formats.md.env

references/tmt-element-taxonomy.md.env

85% confidenceCWE-538: Sensitive Info in Externally-Accessible File

Detected Capabilities

code analysis and repository scanningSTRIDE-A threat modelingDFD and architecture diagram generation (Mermaid)CVSS 4.0 scoring and CWE classificationJSON threat inventory serializationvulnerability findings documentationHTML comparison report generation (incremental)git operations and diff analysissub-agent delegation for verificationdeployment context classification

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

threat model analysisSTRIDE-A security assessmentincremental threat updatesecurity findings reportDFD data flow diagramarchitecture security reviewCVSS scoring findingssecurity posture tracking

Risk Signals

WARNING

Direct .env file access referenced in documentation

references/output-formats.md | references/tmt-element-taxonomy.md

INFO

Extensive external URL references for security standards and CWE definitions

Multiple reference files | orchestrator.md | analysis-principles.md

Referenced Domains

External domains referenced in skill content, detected by static analysis.

...csrc.nist.govcwe.mitre.orgdocs.dapr.iogithub.comlearn.microsoft.comowasp.orgredis.iowww.first.orgwww.microsoft.com

Use Cases

Generate full threat model reports with STRIDE-A analysis for repositories
Track security posture changes between commits with incremental threat model updates
Identify and prioritize security findings with CVSS 4.0 and CWE mappings
Create data flow diagrams and architecture overviews from code analysis
Perform zero-trust security assessments and defense-in-depth risk analysis
Generate executive security summaries with risk ratings and remediation guidance

Quality Notes

Exceptional documentation depth: 16 reference files with 300+ KB of structured guidance covering orchestration, analysis principles, output formats, diagram conventions, and verification checklists
Rigorous structural governance: mandatory field names, anchor-safe heading rules, emoji-prefixed status indicators, and explicit color palette constraints prevent common drift patterns
Comprehensive threat coverage framework: 34 mandatory rules address exploitation tiers, STRIDE-A category correctness (especially 'A = Abuse, never Authorization'), prerequisite determinism, and platform ratio limits
Strong verification infrastructure: inline quick-checks and 9-phase verification checklist with ~200 specific detection patterns (scanner for 'Authorization' instead of 'Abuse', leaked directives, code fence wrapping, nested folders)
Excellent sub-agent governance: explicit boundaries prevent dual-folder bug where parent and child agents both generate output; parent owns file creation, sub-agents are read-only helpers
Advanced incremental analysis support: change detection, component status tracking, threat lifecycle management, simplified display tags ([Existing]/[Fixed]/[Partial]/[New]/[Removed]), HTML comparison report with heatmap
Deployment context binding: Component Exposure Table in 0.1-architecture.md acts as single source of truth for prerequisite floors and tier ceilings, preventing prerequisite inconsistencies
Deterministic component naming: rules ensure reproducible component IDs across independent runs by anchoring to real code artifacts (class names, config keys, Kubernetes workload names), enabling comparison matching
Well-designed skeleton templates: 8 skeleton files with EXACT section headers, table column names (not renamed), and fill-in placeholders prevent downstream formatting drift
High context budget awareness: phases are sequentially scheduled to minimize concurrent file reads; skeletons are loaded on-demand only before writing each file

Model: claude-haiku-4-5-20251001Analyzed: Jun 26, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Add github/threat-model-analyst to your library and activate them in your IDE via the SkillRepo CLI.

Get Started Free