threat-model-creator
Threat Model Creator - Auto-activating skill for Security Advanced. Triggers on: threat model creator, threat model creator Part of the Security Advanced skill category.
36
3%
Does it follow best practices?
Impact
99%
1.02xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/04-security-advanced/threat-model-creator/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is extremely weak—it is essentially just the skill name restated with boilerplate metadata. It provides no concrete actions, no meaningful trigger terms, and no guidance on when Claude should select this skill. It would be nearly useless for skill selection among a large set of available skills.
Suggestions
Add specific concrete actions the skill performs, e.g., 'Creates threat models using STRIDE/DREAD frameworks, identifies attack surfaces, maps data flows, and generates mitigation strategies.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about threat modeling, security risk assessment, attack surface analysis, STRIDE analysis, or identifying security threats in a system architecture.'
Remove the redundant duplicate trigger term and replace with diverse natural language variations users might actually say, such as 'threat model', 'threat analysis', 'security threats', 'risk assessment', 'attack vectors'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the skill ('Threat Model Creator') but provides no concrete actions. There is no indication of what the skill actually does—no verbs describing capabilities like 'identifies threats', 'generates threat models', 'analyzes attack surfaces', etc. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' beyond the name itself, and there is no 'when should Claude use it' clause. The 'Triggers on' line is just the skill name repeated, not meaningful trigger guidance. | 1 / 3 |
Trigger Term Quality | The only trigger terms listed are 'threat model creator' repeated twice, which is extremely narrow and redundant. Users might say 'threat modeling', 'security threats', 'attack surface', 'STRIDE', 'risk assessment', etc., none of which are covered. | 1 / 3 |
Distinctiveness Conflict Risk | The term 'threat model' is somewhat specific to a security niche, which provides some distinctiveness. However, being part of a 'Security Advanced skill category' without explaining what differentiates it from other security skills creates potential overlap. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an empty shell with no substantive content. It consists entirely of generic boilerplate that could apply to any topic—simply substituting 'threat model creator' into a template. It provides zero actionable guidance on threat modeling methodologies (STRIDE, DREAD, PASTA, attack trees), no examples of threat model outputs, no templates, and no concrete steps for creating a threat model.
Suggestions
Add a concrete threat modeling workflow (e.g., 1. Define scope/assets, 2. Identify threats using STRIDE, 3. Assess risk with DREAD scoring, 4. Define mitigations, 5. Validate coverage) with explicit validation checkpoints.
Include a concrete example: a sample system description as input and a resulting threat model table (threat, category, severity, mitigation) as output.
Provide actionable templates or schemas for threat model artifacts (e.g., a markdown table template, a JSON schema for structured output, or a data flow diagram description format).
Remove all boilerplate sections ('When to Use', 'Example Triggers', 'Capabilities') that add no information and replace with actual threat modeling content covering frameworks like STRIDE, PASTA, or attack trees.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is entirely filler and boilerplate. It explains nothing Claude doesn't already know, repeats 'threat model creator' excessively, and provides zero domain-specific information about threat modeling. | 1 / 3 |
Actionability | There are no concrete steps, commands, code examples, frameworks, templates, or any executable guidance. Every section is vague and abstract—'Provides step-by-step guidance' without actually providing any. | 1 / 3 |
Workflow Clarity | No workflow is defined at all. There are no steps, no sequence, no validation checkpoints. The skill claims to provide 'step-by-step guidance' but contains none. | 1 / 3 |
Progressive Disclosure | The content is a flat, shallow document with no references to detailed materials, no linked resources, and no structured navigation to deeper content. It mentions related skills but provides no actionable links. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3076d78
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.