security-threat-model

Repository-grounded threat modeling that enumerates trust boundaries, assets, attacker capabilities, abuse paths, and mitigations, and writes a concise Markdown threat model. Use when the user asks to threat model a codebase or path, enumerate threats or abuse paths, or perform AppSec threat modeling. Do NOT use for general architecture summaries, code review, security best practices (use security-best-practices), or non-security design work.

Quality

85%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Discovery

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that hits all the marks. It provides specific concrete actions, includes natural trigger terms, explicitly addresses both what and when, and proactively mitigates conflict risk with a 'Do NOT use' clause referencing a related skill. The description is concise yet comprehensive, serving as a strong example of how to write skill descriptions.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: 'enumerates trust boundaries, assets, attacker capabilities, abuse paths, and mitigations' and 'writes a concise Markdown threat model'. These are clearly defined, domain-specific actions.	3 / 3
Completeness	Clearly answers both 'what' (enumerates trust boundaries, assets, attacker capabilities, abuse paths, mitigations; writes Markdown threat model) and 'when' (explicit 'Use when...' clause with specific triggers). Also includes a 'Do NOT use' clause that further clarifies boundaries and references another skill by name.	3 / 3
Trigger Term Quality	Includes strong natural trigger terms users would say: 'threat model', 'enumerate threats', 'abuse paths', 'AppSec threat modeling', 'codebase'. These cover the natural language variations a user would employ when requesting this type of work.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive with a clear niche in threat modeling. The explicit 'Do NOT use' clause with references to 'security-best-practices' skill directly addresses potential overlap, making it very unlikely to conflict with adjacent security-related skills.	3 / 3
	Total	12 / 12 Passed

Implementation

70%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-structured threat modeling skill with an excellent multi-step workflow that includes user validation checkpoints and a final quality gate. Its main weakness is the lack of concrete examples—a sample threat entry, abuse path format, or mini output snippet would significantly improve actionability. The content is mostly concise but has minor redundancies between steps 2 and 3 regarding asset enumeration.

Suggestions

Add a brief concrete example of a single threat/abuse path entry showing the expected format (attacker goal, boundary crossed, impact, likelihood, priority) to improve actionability.

Consolidate the asset enumeration that appears in both step 2 and step 3—currently assets are listed in both places with slightly different framing, which wastes tokens and creates ambiguity about where asset identification actually happens.

Dimension	Reasoning	Score
Conciseness	The content is mostly efficient and avoids explaining basic concepts Claude already knows, but some sections are slightly verbose—e.g., the enumerated lists in steps 2-3 overlap (assets listed twice), and some phrasing could be tightened ('Prioritizing realistic attacker goals and concrete impacts over generic checklists' in the intro is somewhat redundant with step 4).	2 / 3
Actionability	The workflow provides structured steps with specific guidance on what to identify and produce, but lacks concrete executable examples—no sample threat model output snippet, no example of what an abuse path entry looks like, and relies heavily on an external prompt template for the actual output format rather than showing it inline or providing a minimal example.	2 / 3
Workflow Clarity	The 8-step workflow is clearly sequenced with logical progression from scoping through enumeration, prioritization, user validation (an explicit pause/feedback loop at step 6), and a quality check before finalizing. The validation checkpoint in step 8 covers entrypoint coverage, boundary representation, and assumption tracking, which is excellent for a complex analytical process.	3 / 3
Progressive Disclosure	The skill provides a clear overview with well-signaled one-level-deep references to `references/prompt-template.md` and `references/security-controls-and-assets.md`, with explicit guidance to only load what's needed. Content is appropriately split between the main skill and reference files.	3 / 3
	Total	10 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: tech-leads-club/agent-skills
Commit: 906a57d

Reviewed: 4 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.