Produces structured security threat models with data flow tracing, pattern clustering, and exploit chain analysis. Activates on security review, threat model, or building security-sensitive features.
How this skill is triggered — by the user, by Claude, or both
Slash command
/pproenca-dot-skills-1:threat-modelThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Produces structured, evidence-backed security threat models for any codebase. Goes beyond surface enumeration by tracing untrusted data through actual code paths, clustering findings by root cause, and constructing exploit chains that combine individual findings into higher-severity attack paths.
Produces structured, evidence-backed security threat models for any codebase. Goes beyond surface enumeration by tracing untrusted data through actual code paths, clustering findings by root cause, and constructing exploit chains that combine individual findings into higher-severity attack paths.
Phase 0 (conditional): Diff Analysis — if git range provided, scope to changed code
Phase 1: Codebase Survey → Understand what the project is and does
Phase 2: Component Mapping → Identify components, data flows, and language bridges
Phase 3: Asset Identification → Determine what needs protecting
Phase 4: Trust Boundaries → Classify inputs by trust level, inventory entry points
Phase 5: Data Flow Tracing → Follow untrusted values from entry to sink ← key technique
Phase 6: Attack Surface Enum → Document surfaces with traced evidence
Phase 7: Pattern Clustering → Group 3+ similar findings by root cause
Phase 8: Exploit Chains → Combine findings into multi-step attack paths
Phase 9: Calibration → Rate with chain-adjusted and systemic severity
Phase 10: Output → Write structured THREAT-MODEL.md
scripts/trace-data-flows.sh <project-root> to inventory entry points and sinksscripts/scan-patterns.sh <project-root> for security-relevant code patternsThese techniques are the skill's core value — they encode analytical methods that produce findings the model wouldn't generate from general knowledge alone.
| Technique | When to Read | What It Adds |
|---|---|---|
| Data Flow Tracing | Phase 5 — always | Traces untrusted input from entry to sink through actual code. Produces evidence-backed findings instead of theoretical risks |
| Pattern Clustering | Phase 7 — after enumeration | Groups related findings by root cause. Recommends systemic fixes instead of individual patches |
| Exploit Chains | Phase 8 — after clustering | Combines findings into multi-step attack paths rated by terminal impact |
| Bridge Analysis | Phase 6 — when FFI/bridges found | Systematic checklist for cross-language boundaries (Swift↔C, Rust↔C, Rails↔NGINX) |
| Diff Analysis | Phase 0 — for incremental review | Scopes analysis to changed code, identifies regressions |
Produces two files (configurable via config.json):
findings.json — Structured, machine-readable findings. Source of truth. Consumed by threat-patch for automated remediation. Tracks finding state across runs (open → patched → verified → closed).THREAT-MODEL.md — Human-readable view generated from findings.json. 6 sections: Overview, Trust Boundaries, Attack Surfaces, Systemic Findings, Exploit Chains, Criticality Calibration.threat-model → findings.json → threat-patch (consumes findings, generates fixes)
↑ ↓
└── threat-model --diff (re-analyzes, updates finding status) ←── git commits
When findings.json exists from a prior run, the skill reads it to:
| Mode | Trigger | What It Does |
|---|---|---|
| Full analysis | "threat model this codebase" | Analyzes entire codebase, produces fresh findings.json + THREAT-MODEL.md |
| Diff analysis | "what changed since last review" / git range provided | Scopes to changed code, updates existing findings.json with new/resolved/regressed findings |
Diff mode is the daily driver for ongoing projects. Full mode runs once (or periodically).
| File | When to Read |
|---|---|
| references/methodology.md | Before starting — the 10-phase workflow |
| references/output-format.md | When writing output — 6-section template |
| references/findings-schema.md | When writing findings.json — structured schema |
| references/attack-patterns.md | When enumerating surfaces — technology patterns |
| references/techniques/ | During specific phases — analytical techniques |
npx claudepluginhub pproenca/dot-skillsGenerates a repository-grounded threat model enumerating trust boundaries, assets, attacker capabilities, abuse paths, and mitigations. Useful for AppSec threat modeling of codebases.
Generates repository-grounded threat models covering trust boundaries, assets, attacker capabilities, abuse paths, and mitigations. Supports STRIDE, PASTA, and attacker-goal methodologies with AI/ML and cloud-native considerations.
Performs a threat assessment of a repository and produces a threat-model.md file. Supports external repo analysis and optional YAML output.