MR
Mayur Rathi
@github
⭐ 34.1k GitHub stars

Tm7-Threat-Model

Tm7-Threat-Model is an code AI skill with a core value of Creates valid Microsoft Threat Modeling Tool (. It helps developers solve real-world problems in the code domain, boosting efficiency, automating repetitive tasks, and optimizing workflows.

Creates valid Microsoft Threat Modeling Tool (.tm7) files compatible with the Microsoft Threat Modeling Tool v7.3+. Use this skill whenever asked to create, generate, or modify a .tm7 threat model fil

Last verified on: 2026-07-16

Quick Facts

Category code
Works With Claude, GitHub Copilot
Source github/awesome-copilot
Stars ⭐ 34.1k
Last Verified 2026-07-16
Risk Level Low
mkdir -p ./skills/tm7-threat-model && curl -sfL https://raw.githubusercontent.com/github/awesome-copilot/main/skills/tm7-threat-model/SKILL.md -o ./skills/tm7-threat-model/SKILL.md

Run in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).

Skill Content

# Microsoft Threat Modeling Tool (.tm7) Generator


You generate **valid `.tm7` files** for the Microsoft Threat Modeling Tool (v7.3+). A `.tm7`

file is **not** generic XML — it is a **WCF `DataContractSerializer`** document with an exact

namespace and element structure. If the structure is wrong, the tool refuses to open the file

with:


> "File is not an actual threat model or the threat model may be corrupted."


Your job is to translate a described system (components, data stores, external actors, data

flows, trust boundaries) into a diagram plus STRIDE threats, serialized in the exact `.tm7`

format described below.


Workflow


When asked to produce a `.tm7` file:


1. **Model the system.** Identify the elements:

- **Processes** (web apps, services, functions) → `StencilEllipse`, `GE.P`

- **Data stores** (databases, caches, queues, blobs) → `StencilParallelLines`, `GE.DS`

- **External interactors** (users, browsers, third-party systems) → `StencilRectangle`, `GE.EI`

- **Trust boundaries** → `BorderBoundary`, `GE.TB`

- **Data flows** connecting the above → `Connector`, `GE.DF`

2. **Assign a unique lowercase UUID** (e.g. `148ade68-5c80-40f3-8e1f-4e2cabdb5991`) to every

stencil and every flow. Never use human-readable ids like `users-browser`.

3. **Lay out coordinates** (`Left`/`Top`/`Width`/`Height`) so stencils don't overlap.

4. **Generate STRIDE threats** per interaction and place them in `<ThreatInstances>`.

5. **Serialize** using the structure in this guide, mirroring `assets/example-minimal.tm7`.

6. **Validate** against the "Common Mistakes" checklist before returning the file.

7. **Write the file with no XML declaration and no pretty-print indentation** (a single

continuous XML stream is what the serializer emits).


Always open [`assets/example-minimal.tm7`](./assets/example-minimal.tm7) first and adapt it — reuse its exact

serialization skeleton and only change stencil types, names, coordinates, flows, and threats.


CRITICAL: Serialization format


TM7 files use **WCF `DataContractSerializer` XML**, not standard XML.


The file MUST start with this exact root element — **no `<?xml?>` declaration**:


xml
<ThreatModel xmlns="http://schemas.datacontract.org/2004/07/ThreatModeling.Model" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">

**NEVER use:**

- `<?xml version="1.0" encoding="utf-8"?>` — causes deserialization failure.

- `xmlns:xsi` / `xmlns:xsd` — these are standard XML namespaces, not DataContract namespaces.

- Invented elements such as `<SecurityGaps>` or `<Mitigations>` — they do not exist in the

TM7 schema.


> **Note:** `<MetaInformation>` (with children like `<Owner>`, `<Contributors>`,

> `<Reviewer>`, `<Assumptions>`, `<ExternalDependencies>`, `<HighLevelSystemDescription>`,

> `<ThreatModelName>`), `<Notes>`, and `<KnowledgeBase>` **are** part of the real schema and

> are emitted by the tool — keep them (see the structure below and `assets/example-minimal.tm7`).

> Just don't invent elements that the tool never produces.


Required namespace prefixes


| Prefix | URI | Used for |

|--------|-----|----------|

| (default) | `http://schemas.datacontract.org/2004/07/ThreatModeling.Model` | Root `ThreatModel` |

| `xmlns:i` | `http://www.w3.org/2001/XMLSchema-instance` | Type attributes |

| `xmlns:z` | `http://schemas.microsoft.com/2003/10/Serialization/` | Reference ids (`z:Id`) |

| `xmlns:a` | `http://schemas.microsoft.com/2003/10/Serialization/Arrays` | Arrays / collections |

| `xmlns:b` | `http://schemas.datacontract.org/2004/07/ThreatModeling.KnowledgeBase` | Stencil properties |

| `xmlns:c` | `http://www.w3.org/2001/XMLSchema` | Primitive type values |


File structure (correct order)


A full tool export contains, in this order: `DrawingSurfaceList`, `MetaInformation`, `Notes`,

`ThreatInstances`, `ThreatMetaData` (often empty/self-closing), then the large generic

`KnowledgeBase` as a **top-level sibling** (not nested inside `ThreatMetaData`), and finally

`Profile`.


xml

🎯 Best For

  • Developers scaffolding new projects
  • Prototype builders
  • Claude users
  • GitHub Copilot users
  • Software engineers

💡 Use Cases

  • Bootstrapping React components
  • Creating API route handlers
  • Code quality improvement
  • Best practice enforcement

📖 How to Use This Skill

  1. 1

    Install the Skill

    Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.

  2. 2

    Load into Your AI Assistant

    Open Claude or GitHub Copilot and reference the skill. Paste the SKILL.md content or use the system prompt tab.

  3. 3

    Apply Tm7-Threat-Model to Your Work

    Open your project in the AI assistant and ask it to apply the skill. Start with a small module to verify the output quality.

  4. 4

    Review and Refine

    Review AI suggestions before committing. Run tests, check for regressions, and iterate on the skill output.

❓ Frequently Asked Questions

Can I customize the generated output?

Yes — modify the skill's prompt instructions to match your project conventions and coding style.

Is Tm7-Threat-Model compatible with Cursor and VS Code?

Yes — this skill works with any AI coding assistant including Cursor, VS Code with Copilot, and JetBrains IDEs.

Do I need specific dependencies for Tm7-Threat-Model?

Check the install command and Works With section. Most code skills only require the AI assistant and your codebase.

How do I install Tm7-Threat-Model?

Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/tm7-threat-model/SKILL.md, ready to use.

Can I customize this skill for my team?

Absolutely. Edit the SKILL.md file to add team-specific instructions, examples, or workflows.

⚠️ Common Mistakes to Avoid

Using generated code without understanding

Understand what generated code does before shipping it to production.

Skipping validation

Always test AI-generated code changes, even for simple refactors.

Missing dependency updates

Check if the skill requires updated dependencies or new packages.

🔗 Related Skills