security-threat-model

by openai

Repository-grounded security-threat-model skill for AppSec threat modeling. It maps trust boundaries, assets, attacker goals, abuse paths, and mitigations into a concise Markdown threat model. Use it when you need security-threat-model for Threat Modeling on a specific repo or path, not a generic architecture review or code check.

Stars0

Favorites0

Comments0

AddedMay 8, 2026

CategoryThreat Modeling

Install Command

npx skills add openai/skills --skill security-threat-model

Curation Score

This skill scores 88/100, which means it is a solid listing candidate for directory users who want repo-grounded AppSec threat modeling. The repository gives a clear trigger, a concrete output contract, and enough workflow guidance to reduce guesswork versus a generic prompt, though users should still expect some manual assembly from repo evidence and prompts.

88/100

Strengths

Explicit trigger rules narrow when the skill should be used, reducing misuse for non-security tasks.
Strong workflow guidance for repo-grounded threat modeling, including scope extraction, trust boundaries, attacker goals, and prioritized abuse paths.
Useful references/prompt templates and a default agent prompt provide practical leverage and a clearer execution path.

Cautions

No install command in SKILL.md, so adoption may require manual setup or extra wiring.
The repo depends on external repository summaries and prompt-template usage, so execution can still require user-provided context and some synthesis.

Docs Template Developer Audience

Overview

Overview of security-threat-model skill

What security-threat-model does

The security-threat-model skill turns a repository or path into a grounded AppSec threat model, focused on trust boundaries, assets, attacker goals, abuse paths, and mitigations. It is the right security-threat-model for Threat Modeling when you need a decision-ready security view of a real codebase, not a generic checklist.

Who should use it

Use this security-threat-model skill if you are shipping software, reviewing a risky feature, or preparing an AppSec review and need a concise Markdown output you can share with engineers. It fits best when you already know the repo, service, or subsystem in scope and want the model tied to actual implementation details.

When it is a good fit

This skill is strongest when the user asks to threat model a specific repository, folder, service, CLI, or workflow. It is designed to surface realistic attacker paths, rank impact, and make assumptions explicit so you can separate confirmed architecture from inferred behavior.

Where it is not the right tool

Do not use it for general architecture summaries, routine code review, or non-security design work. If the request does not involve abuse cases, attack surface, or AppSec risk, the security-threat-model install will add more process than value.

How to Use security-threat-model skill

Install and inspect the repo

Run npx skills add openai/skills --skill security-threat-model to install the skill. After installation, read SKILL.md first, then open references/prompt-template.md and references/security-controls-and-assets.md to understand the expected output shape and the asset/control vocabulary used by the security-threat-model guide.

Give it the right input

Strong prompts name the repo, the in-scope path, the runtime shape, and any deployment facts you already know. For example: “Threat model services/api in this monorepo; it is internet-facing, uses JWT auth, stores user uploads, and calls a payment provider.” That is better than “review this code” because the skill needs scope, exposure, and trust assumptions to build a useful model.

How to invoke it well

The security-threat-model usage pattern is to ask for a repository-grounded threat model with evidence-backed claims, prioritized threats, and explicit open questions. If you have a repo summary, include it; if not, ask the skill to derive one and mark unknowns. A good prompt also tells it whether to emphasize runtime behavior, APIs, data handling, or supply-chain risk.

Best workflow and files to read

Start with SKILL.md to understand the workflow, then inspect references/prompt-template.md for the exact threat-model contract and references/security-controls-and-assets.md for the asset/control checklist. If the repo includes agents/openai.yaml or other support files, use them to align the output with the project’s preferred interface and wording.

security-threat-model skill FAQ

Is this only for AppSec teams?

No. It is useful for developers, platform engineers, security engineers, and reviewers who need a practical threat model before launch or during a design change. The output is still technical, but it is written to help implementation decisions.

How is this different from a normal prompt?

A normal prompt often produces a generic list of risks. The security-threat-model skill expects repo evidence, separates runtime from tests and tooling, and pushes for abuse paths instead of broad vulnerability trivia. That makes it better for security-threat-model usage when the goal is a defensible review rather than a brainstorming exercise.

Can beginners use it?

Yes, if they can describe the system and share a repo path or summary. Beginners get the best results when they name what the system does, who uses it, what data it handles, and whether it is exposed to the internet or other tenants.

When should I not install it?

Skip the security-threat-model install if you only need a high-level product explanation, a code walkthrough, or a quick architecture diagram. It is also a poor fit if you cannot provide enough repository context for grounded security analysis.

How to Improve security-threat-model skill

Give stronger scope and evidence

The biggest quality jump comes from precise scope: exact paths, entrypoints, data stores, external services, and deployment context. If you can provide a repo summary, architecture notes, or a list of user-facing endpoints, the security-threat-model skill can anchor threats to real components instead of guessing.

State attacker goals and boundaries

Tell it what you most want protected: customer data, auth tokens, internal admin actions, availability, or tenant isolation. Also call out trust boundaries such as browser-to-API, worker-to-queue, or service-to-third-party, because those boundaries drive the most useful abuse-path analysis.

Ask for prioritized, actionable output

If you want better results, request prioritization by likelihood and impact, plus mitigations that map to specific boundaries or components. That helps the skill produce a security-threat-model guide that engineers can act on, rather than a list of abstract concerns.

Iterate with missing details

After the first pass, feed back the unknowns that matter most, such as auth design, upload handling, background jobs, or multi-tenant assumptions. Iterating on those gaps usually improves the second output more than asking for more threats, because the model becomes less speculative and more implementation-ready.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

exploiting-insecure-data-storage-in-mobile

by mukul975

The exploiting-insecure-data-storage-in-mobile skill helps assess and extract evidence from insecure local storage in Android and iOS apps. It covers SharedPreferences, SQLite databases, plist files, world-readable files, backup exposure, and weak keychain/keystore handling for mobile pentesting and Security Audit workflows.

Security Audit

Favorites 0GitHub 6.2k

algorand-vulnerability-scanner

by trailofbits

algorand-vulnerability-scanner is a security-audit skill for Algorand TEAL and PyTeal. It helps find 11 common issues, including rekeying attacks, fee validation gaps, field checks, and access control flaws. Use the algorand-vulnerability-scanner skill for a practical first-pass review before a manual audit.

Security Audit

Favorites 0GitHub 4.9k

evaluating-threat-intelligence-platforms

by mukul975

evaluating-threat-intelligence-platforms helps you compare TIP products by feed ingestion, STIX/TAXII support, automation, analyst workflow, integrations, and total cost of ownership. Use this evaluating-threat-intelligence-platforms guide for procurement, migration, or maturity planning, including evaluating-threat-intelligence-platforms for Threat Modeling when platform choice affects traceability and evidence sharing.

Threat Modeling

Favorites 0GitHub 0

detecting-insider-threat-behaviors

by mukul975

detecting-insider-threat-behaviors helps analysts hunt insider-risk signals like unusual data access, off-hours activity, mass downloads, privilege abuse, and resignation-correlated theft. Use this detecting-insider-threat-behaviors guide for threat hunting, UEBA-style triage, and threat modeling with workflow templates, SIEM query examples, and risk weights.

Threat Modeling

Favorites 0GitHub 0

detecting-credential-dumping-techniques

by mukul975

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

Security Audit

Favorites 0GitHub 0

collecting-threat-intelligence-with-misp

by mukul975

The collecting-threat-intelligence-with-misp skill helps you collect, normalize, search, and export threat intelligence in MISP. Use this collecting-threat-intelligence-with-misp guide for feeds, PyMISP workflows, event filtering, warninglist reduction, and practical collecting-threat-intelligence-with-misp for Threat Modeling and CTI operations.

Threat Modeling

Favorites 0GitHub 0

analyzing-threat-intelligence-feeds

by mukul975

Analyzing-threat-intelligence-feeds helps you ingest CTI feeds, normalize indicators, assess feed quality, and enrich IOCs for STIX 2.1 workflows. This analyzing-threat-intelligence-feeds skill is built for threat intel operations and Data Analysis, with practical guidance for TAXII, MISP, and commercial feeds.

Data Analysis

Favorites 0GitHub 0

cosmos-vulnerability-scanner

by trailofbits

cosmos-vulnerability-scanner finds consensus-critical bugs in Cosmos SDK modules, CosmWasm contracts, IBC integrations, and Cosmos EVM stacks. Use this cosmos-vulnerability-scanner guide for security audit workflows, chain-halt risks, fund-loss paths, and pre-launch reviews.

Security Audit

Favorites 0GitHub 4.9k

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

detecting-email-forwarding-rules-attack

by mukul975

The detecting-email-forwarding-rules-attack skill helps Security Audit, threat hunting, and incident response teams find malicious mailbox forwarding rules used for persistence and email collection. It guides analysts through Microsoft 365 and Exchange evidence, suspicious rule patterns, and practical triage for forwarding, redirect, delete, and hide behaviors.

Security Audit

Favorites 0GitHub 0

analyzing-ios-app-security-with-objection

by mukul975

The analyzing-ios-app-security-with-objection skill helps authorized testers run runtime iOS app security checks with Objection and Frida. Use it to review keychain exposure, filesystem storage, cookies, SSL pinning, jailbreak detection, and other client-side defenses during a Security Audit. Includes workflow guidance, install steps, and practical usage notes.

Security Audit

Favorites 0GitHub 0

analyzing-heap-spray-exploitation

by mukul975

analyzing-heap-spray-exploitation helps analyze heap spray exploitation in memory dumps with Volatility3. It identifies NOP sled patterns, suspicious large allocations, shellcode landing zones, and process VAD evidence for Security Audit, malware triage, and exploit validation.

Security Audit

Favorites 0GitHub 0

detecting-supply-chain-attacks-in-ci-cd

by mukul975

detecting-supply-chain-attacks-in-ci-cd skill for auditing GitHub Actions and CI/CD configs. It helps find unpinned actions, script injection, dependency confusion, secret exposure, and risky permissions for Security Audit workflows. Use it to review a repo, workflow file, or suspicious pipeline change with clear findings and fixes.

Security Audit

Favorites 0GitHub 0

detecting-api-enumeration-attacks

by mukul975

detecting-api-enumeration-attacks helps Security Audit teams detect API probing, BOLA, and IDOR by analyzing sequential IDs, 404 bursts, authorization failures, and docs discovery paths. It is built for log-driven detection guidance, rule drafting, and practical review of API abuse patterns.

Security Audit

Favorites 0GitHub 0

defi-amm-security

by affaan-m

defi-amm-security is a focused security checklist for Solidity AMMs, liquidity pools, LP vaults, and swap flows. It helps auditors and engineers review reentrancy, CEI ordering, donation or inflation attacks, oracle assumptions, slippage, admin controls, and integer math with less guesswork than a generic prompt.

Security Audit

Favorites 0GitHub 156.1k