security-threat-model
Repository-grounded threat modeling that enumerates trust boundaries, assets, attacker capabilities, abuse paths, and mitigations, and writes a concise Markdown threat model. Use when the user asks to threat model a codebase or path, enumerate threats or abuse paths, or perform AppSec threat modeling. Do NOT use for general architecture summaries, code review, security best practices (use security-best-practices), or non-security design work.
88
85%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its scope with specific actions, includes natural trigger terms, explicitly states both what it does and when to use it, and proactively distinguishes itself from related skills with a 'Do NOT use' clause. The cross-reference to 'security-best-practices' is a particularly strong touch for reducing conflict risk.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'enumerates trust boundaries, assets, attacker capabilities, abuse paths, and mitigations' and 'writes a concise Markdown threat model'. These are clearly defined, domain-specific actions. | 3 / 3 |
Completeness | Clearly answers both 'what' (enumerates trust boundaries, assets, attacker capabilities, abuse paths, mitigations; writes Markdown threat model) and 'when' (explicit 'Use when...' clause with triggers). Also includes explicit 'Do NOT use' guidance to reduce false matches. | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'threat model', 'enumerate threats', 'abuse paths', 'AppSec threat modeling', 'codebase'. These cover the primary ways a user would phrase such a request. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche in threat modeling. The explicit exclusion clause ('Do NOT use for general architecture summaries, code review, security best practices (use security-best-practices)') directly addresses potential overlap with related skills and even cross-references another skill. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
70%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured threat modeling skill with excellent workflow clarity and progressive disclosure. Its main weakness is actionability—it describes what to do at each step but doesn't provide concrete examples of threat model entries, sample output snippets, or executable commands that would make the guidance more immediately usable. Conciseness is adequate but could be tightened in places.
Suggestions
Add a brief concrete example of a single threat entry (e.g., a sample abuse path with likelihood/impact/mitigation) so Claude has a clear template for the output format without needing to load the reference file.
Include a small example snippet showing what a trust boundary enumeration looks like in practice (e.g., 'Browser → API Gateway: HTTPS, JWT auth, rate-limited') to make Step 2 more actionable.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is mostly efficient and avoids explaining basic concepts Claude already knows, but some sections are slightly verbose with redundant phrasing (e.g., 'not a generic checklist' repeated conceptually, some bullet points could be tighter). The risk prioritization guidance section adds useful but somewhat obvious examples for Claude. | 2 / 3 |
Actionability | The skill provides structured steps and specific guidance (e.g., naming conventions for output files, references to prompt templates), but lacks concrete executable examples—no code snippets, no sample commands, no example output fragments. The guidance is descriptive rather than demonstrative, relying on external reference files for the actual output contract. | 2 / 3 |
Workflow Clarity | The 8-step workflow is clearly sequenced with logical progression from scoping through validation. Step 6 includes an explicit pause-and-validate checkpoint with the user before finalizing, and Step 8 provides a quality checklist before output. The feedback loop (validate assumptions → adjust) is well-defined. | 3 / 3 |
Progressive Disclosure | The skill provides a clear overview with well-signaled one-level-deep references to `references/prompt-template.md` and `references/security-controls-and-assets.md`. The instruction to 'only load the reference files you need' is a good touch. Content is appropriately split between the main skill and reference files. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- tech-leads-club/agent-skills
- Commit
81e7e0d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.