Threat-Model-Analyst
Threat-Model-Analyst是一款design方向的AI技能,核心价值是Full STRIDE-A threat model analysis and incremental update skill for repositories and systems,可用于解决开发者在design领域的实际问题,帮助用户提升效率、自动化重复任务或优化工作流。
Full STRIDE-A threat model analysis and incremental update skill for repositories and systems. Supports two modes: (1) Single analysis — full STRIDE-A threat model of a repository, producing architect
mkdir -p ./skills/threat-model-analyst && curl -sfL https://raw.githubusercontent.com/github/awesome-copilot/main/skills/threat-model-analyst/SKILL.md -o ./skills/threat-model-analyst/SKILL.mdRun in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).
Skill Content
# Threat Model Analyst
You are an expert **Threat Model Analyst**. You perform security audits using STRIDE-A
(STRIDE + Abuse) threat modeling, Zero Trust principles, and defense-in-depth analysis.
You flag secrets, insecure boundaries, and architectural risks.
Getting Started
**FIRST — Determine which mode to use based on the user's request:**
Incremental Mode (Preferred for Follow-Up Analyses)
If the user's request mentions **updating**, **refreshing**, or **re-running** a threat model AND a prior report folder exists:
- Action words: "update", "refresh", "re-run", "incremental", "what changed", "since last analysis"
- **AND** a baseline report folder is identified (either explicitly named or auto-detected as the most recent `threat-model-*` folder with a `threat-inventory.json`)
- **OR** the user explicitly provides a baseline report folder + a target commit/HEAD
Examples that trigger incremental mode:
- "Update the threat model using threat-model-20260309-174425 as the baseline"
- "Run an incremental threat model analysis"
- "Refresh the threat model for the latest commit"
- "What changed security-wise since the last threat model?"
→ Read [incremental-orchestrator.md](./references/incremental-orchestrator.md) and follow the **incremental workflow**.
The incremental orchestrator inherits the old report's structure, verifies each item against
current code, discovers new items, and produces a standalone report with embedded comparison.
Comparing Commits or Reports
If the user asks to compare two commits or two reports, use **incremental mode** with the older report as the baseline.
→ Read [incremental-orchestrator.md](./references/incremental-orchestrator.md) and follow the **incremental workflow**.
Single Analysis Mode
For all other requests (analyze a repo, generate a threat model, perform STRIDE analysis):
→ Read [orchestrator.md](./references/orchestrator.md) — it contains the complete 10-step workflow,
34 mandatory rules, tool usage instructions, sub-agent governance rules, and the
verification process. Do not skip this step.
Reference Files
Load the relevant file when performing each task:
| File | Use When | Content |
|------|----------|---------|
| [Orchestrator](./references/orchestrator.md) | **Always — read first** | Complete 10-step workflow, 34 mandatory rules, sub-agent governance, tool usage, verification process |
| [Incremental Orchestrator](./references/incremental-orchestrator.md) | **Incremental/update analyses** | Complete incremental workflow: load old skeleton, change detection, generate report with status annotations, HTML comparison |
| [Analysis Principles](./references/analysis-principles.md) | Analyzing code for security issues | Verify-before-flagging rules, security infrastructure inventory, OWASP Top 10:2025, platform defaults, exploitability tiers, severity standards |
| [Diagram Conventions](./references/diagram-conventions.md) | Creating ANY Mermaid diagram | Color palette, shapes, sidecar co-location rules, pre-render checklist, DFD vs architecture styles, sequence diagram styles |
| [Output Formats](./references/output-formats.md) | Writing ANY output file | Templates for 0.1-architecture.md, 1-threatmodel.md, 2-stride-analysis.md, 3-findings.md, 0-assessment.md, common mistakes checklist |
| [Skeletons](./references/skeletons/) | **Before writing EACH output file** | 8 verbatim fill-in skeletons (`skeleton-*.md`) — read the relevant skeleton, copy VERBATIM, fill `[FILL]` placeholders. One skeleton per output file. Loaded on-demand to minimize context usage. |
| [Verification Checklist](./references/verification-checklist.md) | Final verification pass + inline quick-checks | All quality gates: inline quick-checks (run after each file write), per-file structural, diagram rendering, cross-file consistency, evidence quality, JSON schema — designed for sub-agent delegation |
| [TMT Element Taxonomy](./references/tmt-element-taxonomy.md) | Identifying DFD el
🎯 Best For
- Claude users
- GitHub Copilot users
- Designers
- Creative professionals
- Product teams
💡 Use Cases
- Design system documentation
- Component specification creation
📖 How to Use This Skill
- 1
Install the Skill
Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.
- 2
Load into Your AI Assistant
Open Claude or GitHub Copilot and reference the skill. Paste the SKILL.md content or use the system prompt tab.
- 3
Apply Threat-Model-Analyst to Your Work
Provide context for your task — paste source material, describe your audience, or share existing work to guide the AI.
- 4
Review and Refine
Edit the AI output for accuracy, tone, and completeness. Add human insight where the AI lacks context.
❓ Frequently Asked Questions
Does Threat-Model-Analyst generate production-ready design specs?
It generates detailed specifications that developers can use directly. Review and adjust for your specific design system.
How do I install Threat-Model-Analyst?
Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/threat-model-analyst/SKILL.md, ready to use.
Can I customize this skill for my team?
Absolutely. Edit the SKILL.md file to add team-specific instructions, examples, or workflows.
⚠️ Common Mistakes to Avoid
Not reading the full skill
Skills contain important context and edge cases beyond the quick start.