Agent Skills

fr33d3m0n/skill-threat-modeling

Code-First Deep Risk Analysis Skill for Claude Code - 8-Phase Workflow with Security design review, STRIDE Threat modeling, PenTest and attack chain analysis, Software compliance assessment

License:MITLanguage:Python6311
skill-threat-modeling - Code-First Deep Risk Analysis Skill for Claude Cod preview

Deep Analysis

Code-based deep threat modeling skill using 8-stage workflow combining STRIDE methodology with multiple threat intel frameworks (CWE, CAPEC, ATT&CK, CVE)

Highly Recommended

Core Features

Complete process from project analysis to threat identification to final report, each stage builds on previous outputs for comprehensive coverage

Threat intel database with 969 CWE entries, 615 CAPEC patterns, and 323,000+ CVE records

Complete STRIDE matrix generation and threat analysis capabilities

Auto-construct data flow diagrams to identify security boundaries and attack surfaces

Attack chain analysis and validation with PoC proof-of-concept design

Supports OWASP Top 10 for LLM and OWASP Agentic Security frameworks

Technical Implementation

Architecture:Dual database design combining CWE/CAPEC static knowledge base with CVE/KEV dynamic vulnerability database, implementing threat analysis via STRIDE→CWE→CAPEC→ATT&CK→CVE/KEV complete mapping chain
Execution Flow:

Key Components:
STRIDE Methodology
CWE (969 entries)
CAPEC (615 entries)
MITRE ATT&CK
CVE (323,000+)
Python + PyYAML
Highlights
  • Industry's most comprehensive threat intel chain: STRIDE→CWE→CAPEC→ATT&CK→CVE/KEV complete mapping
  • Large-scale vulnerability knowledge base with 320,000+ CVE records
  • Cutting-edge AI/LLM security analysis capabilities
  • Code-first analysis approach, extracting security insights directly from source code
  • Multiple deployment options: global, project-local, environment variable flexible config
  • Auto-activation mechanism, keyword triggers without manual invocation
Use Cases
  • Security design review and threat modeling for REST APIs
  • Security assessment for AI/LLM applications
  • Attack surface analysis before penetration testing
  • Software compliance assessment (correlating with known vulnerabilities)
  • Security architecture design reference for new projects
  • Automated security analysis in DevSecOps processes
Limitations
  • Requires Python 3.8+ and PyYAML 6.0+ runtime environment
  • CVE database needs periodic updates for currency
  • Full 8-stage process may take considerable time
  • Analysis of non-standard code structures may be limited
Tech Stack
Python 3.8+PyYAML 6.0+STRIDECWECAPECMITRE ATT&CKCVE/KEVOWASP Top 10 for LLMOWASP Agentic Security
README
View on GitHub

Code-First Deep Risk Analysis Skill

Code-First Automated Threat Modeling Toolkit | Version 2.1.1

8-Phase Serial Workflow · Dual Knowledge Base Architecture · STRIDE+CWE+CAPEC+ATT&CK Full Chain Mapping

Installation · Quick Start · Documentation · 中文版

Overview

A comprehensive Code-First threat modeling toolkit for Claude Code that transforms source code analysis into actionable security insights through an 8-phase serial workflow.

Key Features

Feature Description
8-Phase Serial Workflow Strict sequential execution ensuring maximum depth and complete coverage
Dual Knowledge Base Core DB (969 CWE, 615 CAPEC) + CVE Extension (323K+ CVE)
Full Chain Mapping STRIDE → CWE → CAPEC → ATT&CK → CVE/KEV intelligence chain
Security Design & Control 11 security principles + 16 security domains assessment with control mapping
Attack Path Validation CAPEC + ATT&CK attack chain mapping with POC design
KB-Enhanced Mitigations Context-aware mitigation suggestions per threat
AI/LLM Extensions OWASP LLM Top 10 + AI component threat coverage
Agent Skill Prompt Assessment OWASP Agentic Top 10 (ASI01-ASI10) + Least Agency principle evaluation

Workflow Overview

Phase 1 ──► Phase 2 ──► Phase 3 ──► Phase 4 ──► Phase 5 ──► Phase 6 ──► Phase 7 ──► Phase 8
Project     Call Flow    Trust      Security    STRIDE      Risk        Mitigation   Report
Understanding  DFD      Boundaries   Design     Analysis   Validation

Installation

Multi-Platform Support

This skill supports multiple AI agent platforms:

┌─────────────────────────────────────────────────────────────────────────────┐
│                        Supported Agent Platforms                             │
├─────────────────────────────────────────────────────────────────────────────┤
│  Platform        │  Global Path                    │  Project-Local Path    │
├──────────────────┼─────────────────────────────────┼────────────────────────┤
│  Claude Code     │  ~/.claude/skills/              │  .claude/skills/       │
│  OpenAI Codex    │  ~/.codex/skills/               │  .codex/skills/        │
│  GitHub Copilot  │  (uses .github/skills/)         │  .github/skills/       │
│  Qwen Code       │  ~/.qwen/agents/                │  .qwen/agents/         │
│  Goose           │  ~/.config/goose/skills/        │  .goose/skills/        │
│  Portable (XDG)  │  ~/.config/agents/skills/       │  .agents/skills/       │
└─────────────────────────────────────────────────────────────────────────────┘

Installation Options

┌─────────────────────────────────────────────────────────────┐
│                 How to Choose Installation?                  │
├─────────────────────────────────────────────────────────────┤
│                                                              │
│  Personal use, share across projects  ──────►  Global       │
│                                        ~/.claude/skills/     │
│                                                              │
│  Team collaboration, version control  ──────►  Project-local│
│                                        project/.claude/skills│
│                                                              │
│  Cross-platform / portable            ──────►  XDG Standard │
│                                        ~/.config/agents/skills│
│                                                              │
└─────────────────────────────────────────────────────────────┘

System Requirements

Python 3.8+  |  PyYAML >= 6.0

Option 1: Global Installation (Available to All Projects)

# Clone from GitHub (directory will be named "skill-threat-modeling")
git clone https://github.com/fr33d3m0n/skill-threat-modeling.git

# Copy to Claude Code global skills directory (rename to "threat-modeling")
cp -r skill-threat-modeling ~/.claude/skills/threat-modeling

# Or keep the original name (both work!)
cp -r skill-threat-modeling ~/.claude/skills/skill-threat-modeling

# Install dependencies
pip install pyyaml

Option 2: Project-Local Installation (Current Project Only)

# Create .claude/skills directory in project root
mkdir -p /path/to/your-project/.claude/skills

# Copy skill to project local
cp -r skill-threat-modeling /path/to/your-project/.claude/skills/threat-modeling

# Install dependencies
pip install pyyaml

Option 3: Environment Variable (Explicit Path)

# Set SKILL_PATH to skill location (works with any directory name)
export SKILL_PATH=/path/to/skill-threat-modeling

# Scripts will auto-detect via environment variable
python "$SKILL_PATH/scripts/unified_kb_query.py" --stride spoofing

Installation Comparison:

Method Path Scope Directory Name
Global ~/.claude/skills/ All projects threat-modeling or skill-threat-modeling
Project-local project/.claude/skills/ Current project only threat-modeling or skill-threat-modeling
XDG Portable ~/.config/agents/skills/ Cross-platform Any
Environment $SKILL_PATH Explicit override Any

Recommendation: For team-shared security assessment projects, use project-local installation so the skill can be version controlled with project code.

Verify Installation

python scripts/unified_kb_query.py --all-stride --pretty

Directory Structure

threat-modeling/
├── SKILL.md                  # ← Claude Code entry point (8-phase workflow)
├── WORKFLOW.md               # Detailed workflow templates
├── VALIDATION.md             # Validation rules and quality gates
├── REPORT.md                 # Report generation templates
├── README.md / README-cn.md  # Documentation (EN/CN)
├── EXAMPLES.md / EXAMPLES-cn.md  # Usage examples
├── VERSION                   # Version number
├── LICENSE                   # BSD-3-Clause license
├── scripts/                  # Tool scripts
│   ├── list_files.py             # Phase 1: Project structure analysis
│   ├── stride_matrix.py          # Phase 5: STRIDE matrix
│   ├── unified_kb_query.py       # Phase 5/6/7: Unified KB query
│   ├── collect_code_stats.py     # Code statistics collection
│   └── validate_count_conservation.py  # Validation utility
├── assets/
│   ├── knowledge/            # Dual database knowledge system
│   │   ├── security_kb.sqlite    # Core DB (18MB)
│   │   ├── security-*.yaml       # Security rules and mappings
│   │   ├── security-controls/    # 16 security domain controls
│   │   └── semantic_index/       # Semantic search index
│   ├── schemas/              # Output schema definitions
│   └── templates/            # Report templates
├── references/               # Architecture documentation
│   ├── SKILL-ARCHITECTURE-DESIGN.md      # System architecture
│   ├── ARCHITECTURE-WORKFLOW-GUIDE.md    # Workflow guide
│   └── KNOWLEDGE-ARCHITECTURE-v5.2.md    # Knowledge base architecture
├── kb                        # Knowledge base symlink
└── skill_path.sh             # Path detection helper

Quick Start

Using in Claude Code

Auto-Activation

The skill automatically activates when you mention these keywords:

English Chinese
threat model 威胁建模
security assessment 安全评估
security check 安全检查
DFD / data flow diagram 数据流图
trust boundary 信任边界
attack surface 攻击面
STRIDE analysis STRIDE 分析

Usage Examples

Threat Modeling

User: Help me threat model @/path/to/project

Claude: [Auto-activates skill]
        Phase 1: Analyzing project structure...
        Phase 2: Building DFD...
        Phase 5: STRIDE analysis...

        ## Threat List
        | ID | Category | Description | Priority |
        | T-S-P1-001 | Spoofing | API lacks authentication | Critical |
        ...

Quick Security Check

User: Quick security check on this service @/path/to/service

Claude: Found 3 high-severity threats:
        - T-S-P1-001: API endpoint lacks authentication
        - T-E-P2-001: Delete endpoint missing authorization
        - T-I-DF1-001: Sensitive data transmitted in plaintext

AI/LLM Applications

User: Analyze security risks for this RAG app @/path/to/rag-app

Claude: [Enables OWASP LLM Top 10 extension]
        - LLM01: Prompt Injection risk
        - LLM06: Sensitive information disclosure risk
        ...

Manual Script Execution

# Project structure analysis (Phase 1)
python scripts/list_files.py ./project --categorize --detect-type --pretty

# Knowledge base queries (Phase 5/6/7)
python scripts/unified_kb_query.py --full-chain CWE-89
python scripts/unified_kb_query.py --capec CAPEC-66 --attack-chain
python scripts/unified_kb_query.py --attack-technique T1059
python scripts/unified_kb_query.py --cwe CWE-89 --mitigations
python scripts/unified_kb_query.py --all-llm

Core Capabilities

8-Phase Workflow Outputs

Phase Output
1-4 Project overview, DFD diagram, key interfaces/boundaries/data nodes, security design matrix
5 Threat list (STRIDE+CWE+ATT&CK+LLM)
6 Validation methods (attack paths + POC)
7 Mitigations (remediation suggestions per threat)
8 {PROJECT}-RISK-ASSESSMENT-REPORT.md comprehensive report

Capability Matrix

Capability Description
8-Phase Serial Workflow Strict sequential execution with phase output chaining
DFD Construction Mermaid templates + element inventory + trust boundaries
STRIDE Matrix TMT-compatible STRIDE per Interaction