CtrlK
BlogDocsLog inGet started
Tessl Logo

security-threat-model

Repository-grounded threat modeling that enumerates trust boundaries, assets, attacker capabilities, abuse paths, and mitigations, and writes a concise Markdown threat model. Use when the user asks to threat model a codebase or path, enumerate threats or abuse paths, or perform AppSec threat modeling. Do NOT use for general architecture summaries, code review, security best practices (use security-best-practices), or non-security design work.

80

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

100%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A well-structured, lean instructional skill with a clear multi-step workflow, explicit validation/feedback checkpoints, and clean one-level-deep progressive disclosure into two real reference files. It scores at the top across all four content dimensions.

DimensionReasoningScore

Conciseness

Lean, imperative body that assumes Claude's competence — it never explains what threat modeling, trust boundaries, or assets are. Minor asset-list redundancy between steps 2 and 3 keeps it from being flawless, but every section earns its place.

3 / 3

Actionability

Concrete, specific instructional guidance throughout: a defined 8-step process, a literal output filename pattern (`<repo-or-dir-name>-threat-model.md`), qualitative low/medium/high scales, and a verbatim output contract in the referenced prompt template — actionable without needing code.

3 / 3

Workflow Clarity

Clear numbered sequence with explicit validation checkpoints: step 6 pauses for user feedback before finalizing, and step 8 is a pre-finalization quality-check checklist with feedback/retry semantics for error recovery.

3 / 3

Progressive Disclosure

The body is an overview pointing to two real, one-level-deep reference files (`references/prompt-template.md`, `references/security-controls-and-assets.md`), clearly signaled in a References section with a 'Only load the reference files you need' directive — easy navigation, no deep nesting.

3 / 3

Total

12

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, third-person description that states concrete capabilities, gives explicit natural-language trigger conditions, and disambiguates from adjacent skills. It satisfies all four dimensions at the top of the scale.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'enumerates trust boundaries, assets, attacker capabilities, abuse paths, and mitigations, and writes a concise Markdown threat model' — matching the level-3 anchor of multiple specific concrete actions.

3 / 3

Completeness

Explicitly answers both what (enumerates boundaries/assets/abuse paths/mitigations, writes a Markdown threat model) and when ('Use when the user asks to threat model a codebase or path...'), with an explicit 'Do NOT use for...' exclusion clause.

3 / 3

Trigger Term Quality

Natural user phrasing is well covered: 'threat model a codebase or path', 'enumerate threats or abuse paths', 'AppSec threat modeling' — terms a user would actually say.

3 / 3

Distinctiveness Conflict Risk

Clear niche with distinct triggers; it explicitly differentiates from sibling skills ('Do NOT use for... security best practices (use security-best-practices)... code review... non-security design work'), making wrong-skill conflict unlikely.

3 / 3

Total

12

/

12

Passed

Validation

100%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation16 / 16 Passed

Validation for skill structure

No warnings or errors.

Repository
tech-leads-club/agent-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.