Tm7-Threat-Model
Tm7-Threat-Model is an code AI skill with a core value of Creates valid Microsoft Threat Modeling Tool (. It
helps developers solve real-world problems in the code domain, boosting
efficiency, automating repetitive tasks, and optimizing workflows.
Creates valid Microsoft Threat Modeling Tool (.tm7) files compatible with the Microsoft Threat Modeling Tool v7.3+. Use this skill whenever asked to create, generate, or modify a .tm7 threat model fil
Quick Facts
mkdir -p ./skills/tm7-threat-model && curl -sfL https://raw.githubusercontent.com/github/awesome-copilot/main/skills/tm7-threat-model/SKILL.md -o ./skills/tm7-threat-model/SKILL.md Run in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).
Skill Content
# Microsoft Threat Modeling Tool (.tm7) Generator
You generate **valid `.tm7` files** for the Microsoft Threat Modeling Tool (v7.3+). A `.tm7`
file is **not** generic XML — it is a **WCF `DataContractSerializer`** document with an exact
namespace and element structure. If the structure is wrong, the tool refuses to open the file
with:
> "File is not an actual threat model or the threat model may be corrupted."
Your job is to translate a described system (components, data stores, external actors, data
flows, trust boundaries) into a diagram plus STRIDE threats, serialized in the exact `.tm7`
format described below.
Workflow
When asked to produce a `.tm7` file:
1. **Model the system.** Identify the elements:
- **Processes** (web apps, services, functions) → `StencilEllipse`, `GE.P`
- **Data stores** (databases, caches, queues, blobs) → `StencilParallelLines`, `GE.DS`
- **External interactors** (users, browsers, third-party systems) → `StencilRectangle`, `GE.EI`
- **Trust boundaries** → `BorderBoundary`, `GE.TB`
- **Data flows** connecting the above → `Connector`, `GE.DF`
2. **Assign a unique lowercase UUID** (e.g. `148ade68-5c80-40f3-8e1f-4e2cabdb5991`) to every
stencil and every flow. Never use human-readable ids like `users-browser`.
3. **Lay out coordinates** (`Left`/`Top`/`Width`/`Height`) so stencils don't overlap.
4. **Generate STRIDE threats** per interaction and place them in `<ThreatInstances>`.
5. **Serialize** using the structure in this guide, mirroring `assets/example-minimal.tm7`.
6. **Validate** against the "Common Mistakes" checklist before returning the file.
7. **Write the file with no XML declaration and no pretty-print indentation** (a single
continuous XML stream is what the serializer emits).
Always open [`assets/example-minimal.tm7`](./assets/example-minimal.tm7) first and adapt it — reuse its exact
serialization skeleton and only change stencil types, names, coordinates, flows, and threats.
CRITICAL: Serialization format
TM7 files use **WCF `DataContractSerializer` XML**, not standard XML.
The file MUST start with this exact root element — **no `<?xml?>` declaration**:
<ThreatModel xmlns="http://schemas.datacontract.org/2004/07/ThreatModeling.Model" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">**NEVER use:**
- `<?xml version="1.0" encoding="utf-8"?>` — causes deserialization failure.
- `xmlns:xsi` / `xmlns:xsd` — these are standard XML namespaces, not DataContract namespaces.
- Invented elements such as `<SecurityGaps>` or `<Mitigations>` — they do not exist in the
TM7 schema.
> **Note:** `<MetaInformation>` (with children like `<Owner>`, `<Contributors>`,
> `<Reviewer>`, `<Assumptions>`, `<ExternalDependencies>`, `<HighLevelSystemDescription>`,
> `<ThreatModelName>`), `<Notes>`, and `<KnowledgeBase>` **are** part of the real schema and
> are emitted by the tool — keep them (see the structure below and `assets/example-minimal.tm7`).
> Just don't invent elements that the tool never produces.
Required namespace prefixes
| Prefix | URI | Used for |
|--------|-----|----------|
| (default) | `http://schemas.datacontract.org/2004/07/ThreatModeling.Model` | Root `ThreatModel` |
| `xmlns:i` | `http://www.w3.org/2001/XMLSchema-instance` | Type attributes |
| `xmlns:z` | `http://schemas.microsoft.com/2003/10/Serialization/` | Reference ids (`z:Id`) |
| `xmlns:a` | `http://schemas.microsoft.com/2003/10/Serialization/Arrays` | Arrays / collections |
| `xmlns:b` | `http://schemas.datacontract.org/2004/07/ThreatModeling.KnowledgeBase` | Stencil properties |
| `xmlns:c` | `http://www.w3.org/2001/XMLSchema` | Primitive type values |
File structure (correct order)
A full tool export contains, in this order: `DrawingSurfaceList`, `MetaInformation`, `Notes`,
`ThreatInstances`, `ThreatMetaData` (often empty/self-closing), then the large generic
`KnowledgeBase` as a **top-level sibling** (not nested inside `ThreatMetaData`), and finally
`Profile`.
🎯 Best For
- Developers scaffolding new projects
- Prototype builders
- Claude users
- GitHub Copilot users
- Software engineers
💡 Use Cases
- Bootstrapping React components
- Creating API route handlers
- Code quality improvement
- Best practice enforcement
📖 How to Use This Skill
- 1
Install the Skill
Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.
- 2
Load into Your AI Assistant
Open Claude or GitHub Copilot and reference the skill. Paste the SKILL.md content or use the system prompt tab.
- 3
Apply Tm7-Threat-Model to Your Work
Open your project in the AI assistant and ask it to apply the skill. Start with a small module to verify the output quality.
- 4
Review and Refine
Review AI suggestions before committing. Run tests, check for regressions, and iterate on the skill output.
❓ Frequently Asked Questions
Can I customize the generated output?
Yes — modify the skill's prompt instructions to match your project conventions and coding style.
Is Tm7-Threat-Model compatible with Cursor and VS Code?
Yes — this skill works with any AI coding assistant including Cursor, VS Code with Copilot, and JetBrains IDEs.
Do I need specific dependencies for Tm7-Threat-Model?
Check the install command and Works With section. Most code skills only require the AI assistant and your codebase.
How do I install Tm7-Threat-Model?
Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/tm7-threat-model/SKILL.md, ready to use.
Can I customize this skill for my team?
Absolutely. Edit the SKILL.md file to add team-specific instructions, examples, or workflows.
⚠️ Common Mistakes to Avoid
Using generated code without understanding
Understand what generated code does before shipping it to production.
Skipping validation
Always test AI-generated code changes, even for simple refactors.
Missing dependency updates
Check if the skill requires updated dependencies or new packages.