AI SummaryGenerates repository-grounded threat models that identify trust boundaries, assets, attack paths, and mitigations in application code. Ideal for security engineers and developers performing AppSec threat modeling on specific codebases.
Install
Copy this and paste it into Claude Code, Cursor, or any AI assistant:
I want to install the "security-threat-model" skill in my project. Please run this command in my terminal: # Install skill into your project (5 files) mkdir -p .claude/skills/security-threat-model && curl --retry 3 --retry-delay 2 --retry-all-errors -o .claude/skills/security-threat-model/SKILL.md "https://raw.githubusercontent.com/openai/skills/main/skills/.curated/security-threat-model/SKILL.md" && curl --retry 3 --retry-delay 2 --retry-all-errors -o .claude/skills/security-threat-model/LICENSE.txt "https://raw.githubusercontent.com/openai/skills/main/skills/.curated/security-threat-model/LICENSE.txt" && mkdir -p .claude/skills/security-threat-model/agents && curl --retry 3 --retry-delay 2 --retry-all-errors -o .claude/skills/security-threat-model/agents/openai.yaml "https://raw.githubusercontent.com/openai/skills/main/skills/.curated/security-threat-model/agents/openai.yaml" && mkdir -p .claude/skills/security-threat-model/references && curl --retry 3 --retry-delay 2 --retry-all-errors -o .claude/skills/security-threat-model/references/prompt-template.md "https://raw.githubusercontent.com/openai/skills/main/skills/.curated/security-threat-model/references/prompt-template.md" && mkdir -p .claude/skills/security-threat-model/references && curl --retry 3 --retry-delay 2 --retry-all-errors -o .claude/skills/security-threat-model/references/security-controls-and-assets.md "https://raw.githubusercontent.com/openai/skills/main/skills/.curated/security-threat-model/references/security-controls-and-assets.md" Then restart Claude Code (or reload the window in Cursor) so the skill is picked up.
Description
Repository-grounded threat modeling that enumerates trust boundaries, assets, attacker capabilities, abuse paths, and mitigations, and writes a concise Markdown threat model. Trigger only when the user explicitly asks to threat model a codebase or path, enumerate threats/abuse paths, or perform AppSec threat modeling. Do not trigger for general architecture summaries, code review, or non-security design work.
3) Calibrate assets and attacker capabilities
• List the assets that drive risk (credentials, PII, integrity-critical state, availability-critical components, build artifacts). • Describe realistic attacker capabilities based on exposure and intended usage. • Explicitly note non-capabilities to avoid inflated severity.
Threat Model Source Code Repo
Deliver an actionable AppSec-grade threat model that is specific to the repository or a project path, not a generic checklist. Anchor every architectural claim to evidence in the repo and keep assumptions explicit. Prioritizing realistic attacker goals and concrete impacts over generic checklists.
Quick start
1) Collect (or infer) inputs: • Repo root path and any in-scope paths. • Intended usage, deployment model, internet exposure, and auth expectations (if known). • Any existing repository summary or architecture spec. • Use prompts in references/prompt-template.md to generate a repository summary. • Follow the required output contract in references/prompt-template.md. Use it verbatim when possible.
1) Scope and extract the system model
• Identify primary components, data stores, and external integrations from the repo summary. • Identify how the system runs (server, CLI, library, worker) and its entrypoints. • Separate runtime behavior from CI/build/dev tooling and from tests/examples. • Map the in-scope locations to those components and exclude out-of-scope items explicitly. • Do not claim components, flows, or controls without evidence.
Discussion
Health Signals
My Fox Den
Community Rating
Sign in to rate this booster