stride-analysis-patterns

by wshobson

stride-analysis-patterns helps agents run a structured STRIDE threat-modeling pass for architectures, APIs, and data flows. Install from the wshobson/agents repo, read the SKILL.md file, and use it to turn system descriptions into categorized threats and control-focused review output.

Stars32.6k

Favorites0

Comments0

AddedMar 30, 2026

CategoryThreat Modeling

Install Command

npx skills add wshobson/agents --skill stride-analysis-patterns

Curation Score

This skill scores 78/100, which makes it a solid listing candidate for directory users. The repository evidence shows substantial real content and a clearly named/useful purpose: applying STRIDE to threat modeling and security documentation. Users can reasonably expect better structure and prompting leverage than a generic security-analysis prompt, though they should also expect a documentation-heavy skill without supporting artifacts, executable helpers, or strong constraint/decision guidance.

78/100

Strengths

Clear triggerability: the frontmatter and "When to Use" section explicitly map it to threat modeling, architecture review, security design review, and audit/documentation work.
Material workflow value: the long SKILL.md includes STRIDE categories, a threat analysis matrix, and multiple structured sections rather than placeholder or demo-only content.
Good agent leverage for repeatable analysis: the methodology gives a reusable framework for systematically covering spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

Cautions

Adoption is documentation-only: there are no support files, references, rules, scripts, or install instructions to reduce execution guesswork.
Operational guidance appears lighter than the document size suggests: structural signals show limited explicit workflow/constraint/practical cues, which may leave agents to infer output format and depth.

Security Audit Checklist Playbook Workflow Documentation

Overview

Overview of stride-analysis-patterns skill

What stride-analysis-patterns does

The stride-analysis-patterns skill helps an agent run a structured STRIDE threat-modeling pass instead of producing a loose security brainstorm. Its job is to turn a system description into categorized threats across Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

Best fit for this skill

This stride-analysis-patterns skill is best for security reviews of architectures, APIs, services, data flows, and design changes where you need systematic coverage more than deep exploit research. It fits engineers, security reviewers, architects, and teams preparing design reviews, audits, or threat-model documentation.

Real job-to-be-done

Most users are not looking for a textbook explanation of STRIDE. They need a repeatable way to ask, “What could go wrong in this design, by category, and what control family should we consider next?” The value of stride-analysis-patterns for Threat Modeling is consistency: it reduces skipped categories and gives a cleaner starting point for mitigation planning.

What makes it different from a generic prompt

A normal prompt often returns mixed-risk security advice with uneven coverage. stride-analysis-patterns pushes analysis through a known matrix of threat classes and guiding questions. That makes outputs easier to review, compare across systems, and turn into backlog items or security documentation.

What to know before installing

This skill is lightweight: the repository evidence shows the implementation is mainly in SKILL.md with no extra scripts or helper resources. That is good for quick adoption, but it also means output quality depends heavily on the quality of the architecture context you provide. If your system description is vague, the threat list will be generic too.

How to Use stride-analysis-patterns skill

Install stride-analysis-patterns skill

Install from the repository with:

npx skills add https://github.com/wshobson/agents --skill stride-analysis-patterns

Because the skill lives at plugins/security-scanning/skills/stride-analysis-patterns, installing from the repo is the practical path rather than copying the markdown manually.

Read this file first

Start with:

plugins/security-scanning/skills/stride-analysis-patterns/SKILL.md

There do not appear to be supporting README.md, rules/, or resources/ files for this skill, so most of the usable guidance is concentrated in that single file. This is good news for fast evaluation: you can judge the full method quickly.

What input the skill needs

For strong stride-analysis-patterns usage, provide:

system purpose
main components
trust boundaries
actors and roles
authentication model
sensitive data involved
key entry points such as APIs, queues, admin panels, or webhooks
important dependencies like IdP, cloud storage, databases, and third-party services

Without those details, the skill can still produce threats, but they will look like a generic STRIDE checklist rather than a model of your actual system.

Turn a rough goal into a strong prompt

Weak goal:

Analyze my app for threats.

Better prompt:

Use the stride-analysis-patterns skill to threat model this system. It is a multi-tenant SaaS app with a React frontend, API gateway, Go services, PostgreSQL, Redis, S3 object storage, and an external OAuth provider. Identify threats by STRIDE category for each major component and trust boundary. For each threat, include the affected asset, likely attack path, impact, and the most relevant control family.

The second version gives the skill enough structure to produce reviewable output instead of broad security advice.

Recommended workflow in practice

A practical stride-analysis-patterns guide looks like this:

Describe the architecture in plain English.
List assets, actors, and trust boundaries.
Ask the skill for threats by STRIDE category.
Ask for the threats to be regrouped by component or data flow.
Convert the final list into mitigations, design changes, or tickets.

This sequence matters because STRIDE works best after the system shape is clear. If you jump straight to mitigations, you may optimize for the wrong risks.

Ask for component-level analysis

The skill becomes more useful when you scope it to concrete surfaces such as:

login and session handling
admin functions
file upload flows
service-to-service authentication
background jobs
audit logging
secrets handling
tenant isolation

That usually produces better threat depth than asking for “the whole platform” in one pass.

Useful output format to request

Ask the agent to return a table with columns like:

STRIDE category
component or data flow
threat statement
attacker precondition
impact
suggested control family
open questions

This keeps stride-analysis-patterns for Threat Modeling actionable. The “open questions” column is especially valuable when architecture details are incomplete.

How to use it for existing systems

For brownfield reviews, feed the skill whatever you already have:

architecture diagrams
API docs
deployment descriptions
ADRs
incident history
auth and permission docs

Then ask it to identify likely threats and point out missing architectural facts needed to complete the STRIDE pass. That is often more useful than pretending the documentation is complete.

Where this skill is strongest

The skill is strongest at threat enumeration and category coverage. It is less about exploit proof, scanner integration, or implementation-specific validation. Use it to discover and organize security concerns early, then hand the findings to code review, architecture review, or security testing workflows.

Common usage mistake

The main failure mode in stride-analysis-patterns usage is giving only a product summary and expecting system-specific results. “A fintech app for payments” is not enough. You need at least the key components, identities, data stores, and boundaries, or the analysis will stay generic.

stride-analysis-patterns skill FAQ

Is stride-analysis-patterns good for beginners?

Yes, if you already know your system better than you know STRIDE. The skill provides a usable structure for threat identification, so beginners can ask better security questions. It is less suitable if you want a full tutorial on threat modeling theory from zero.

When should I use stride-analysis-patterns instead of a normal security prompt?

Use stride-analysis-patterns skill when you need consistent category coverage and a documented reasoning structure. A normal prompt is fine for ad hoc security brainstorming, but it often misses categories like repudiation or elevation paths unless you ask very explicitly.

Is this only for formal threat-modeling sessions?

No. It also works for design reviews, pre-release architecture checks, audit prep, and security-focused backlog grooming. If the output will be reviewed by others, STRIDE structure makes the results easier to defend and refine.

What is this skill not good at?

stride-analysis-patterns is not a replacement for penetration testing, static analysis, dependency scanning, or secure code review. It identifies plausible threats; it does not prove exploitability or validate controls in a running environment.

Can I use stride-analysis-patterns for small systems?

Yes, but keep the scope tight. For a small internal tool, ask for threats around authentication, data access, logging, and availability. If you force a very small system through an overly broad enterprise-style model, the output may feel inflated.

Does it fit modern cloud and AI systems?

Yes, but only if you describe cloud identities, service boundaries, data movement, and external integrations clearly. For AI features, include prompt inputs, model providers, retrieval layers, secrets, and user-to-tool execution paths so the STRIDE categories map to real attack surfaces.

How to Improve stride-analysis-patterns skill

Give better architecture context

The fastest way to improve stride-analysis-patterns results is to provide a compact architecture brief before invoking it. Good briefs include:

actors and privilege levels
trust boundaries
authentication and authorization approach
sensitive assets
data flows between components
internet-exposed surfaces

This raises specificity more than asking for “more detail” after a weak first pass.

Separate assets from components

Users often mix “database,” “customer PII,” and “admin user” in one list. Better outputs come when you distinguish:

components: API, worker, database, queue
assets: credentials, audit logs, PII, tokens
actors: customer, admin, support, attacker, third-party service

That separation helps the skill map threats more cleanly and avoid vague statements.

Force explicit trust boundaries

A strong stride-analysis-patterns guide prompt names boundaries such as:

browser to frontend
frontend to API
API to internal services
service to database
production to third-party provider
tenant to tenant

Many meaningful threats appear at boundaries, not inside isolated components.

Ask for evidence-oriented threat statements

Instead of accepting broad items like “tampering is possible,” ask for this pattern:

Threat, attacker action, affected asset, required precondition, likely impact, relevant control family.

This makes the output easier to triage and less like a checklist.

Iterate by category after the first pass

After the initial run, ask follow-ups like:

“Expand only Spoofing threats for service-to-service auth.”
“Re-run Information Disclosure for multi-tenant data access.”
“Focus on Repudiation gaps in admin actions and audit logs.”

This is one of the best ways to improve stride-analysis-patterns skill output quality without rewriting everything from scratch.

Pair threat output with mitigation review

The skill naturally points toward control families such as authentication, integrity checks, logging, encryption, rate limiting, and authorization. After threat enumeration, ask the agent to map each finding to:

existing controls
missing controls
compensating controls
priority and implementation owner

That turns analysis into an adoption-ready review artifact.

Watch for overgenerated threats

A common problem is quantity over decision value. If the first pass returns too many repetitive threats, ask the agent to:

merge duplicates
rank by plausibility and impact
remove generic items not supported by the described architecture
highlight top risks per component

This is especially important when using stride-analysis-patterns for Threat Modeling in meetings or ticket creation.

Improve outputs with a system diagram summary

Even if you cannot share a full diagram, a text diagram helps. Example:

User -> CDN/WAF -> Web App -> API Gateway -> Auth Service
                                 -> Orders Service -> PostgreSQL
                                 -> File Service -> S3
Admin -> Admin Portal -> API Gateway
API -> External OAuth Provider

A summary like this gives the skill better anchors for category-by-category reasoning.

Know when to stop using this skill

If your main question becomes “Is this vulnerability exploitable in code?” or “Which exact control setting should I change in AWS right now?”, move beyond stride-analysis-patterns. At that point, use code review, cloud configuration review, runtime testing, or a more implementation-specific security skill.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

security-threat-model

by openai

Repository-grounded security-threat-model skill for AppSec threat modeling. It maps trust boundaries, assets, attacker goals, abuse paths, and mitigations into a concise Markdown threat model. Use it when you need security-threat-model for Threat Modeling on a specific repo or path, not a generic architecture review or code check.

Threat Modeling

Favorites 0GitHub 0

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

exploiting-insecure-data-storage-in-mobile

by mukul975

The exploiting-insecure-data-storage-in-mobile skill helps assess and extract evidence from insecure local storage in Android and iOS apps. It covers SharedPreferences, SQLite databases, plist files, world-readable files, backup exposure, and weak keychain/keystore handling for mobile pentesting and Security Audit workflows.

Security Audit

Favorites 0GitHub 6.2k

algorand-vulnerability-scanner

by trailofbits

algorand-vulnerability-scanner is a security-audit skill for Algorand TEAL and PyTeal. It helps find 11 common issues, including rekeying attacks, fee validation gaps, field checks, and access control flaws. Use the algorand-vulnerability-scanner skill for a practical first-pass review before a manual audit.

Security Audit

Favorites 0GitHub 4.9k

evaluating-threat-intelligence-platforms

by mukul975

evaluating-threat-intelligence-platforms helps you compare TIP products by feed ingestion, STIX/TAXII support, automation, analyst workflow, integrations, and total cost of ownership. Use this evaluating-threat-intelligence-platforms guide for procurement, migration, or maturity planning, including evaluating-threat-intelligence-platforms for Threat Modeling when platform choice affects traceability and evidence sharing.

Threat Modeling

Favorites 0GitHub 0

detecting-insider-threat-behaviors

by mukul975

detecting-insider-threat-behaviors helps analysts hunt insider-risk signals like unusual data access, off-hours activity, mass downloads, privilege abuse, and resignation-correlated theft. Use this detecting-insider-threat-behaviors guide for threat hunting, UEBA-style triage, and threat modeling with workflow templates, SIEM query examples, and risk weights.

Threat Modeling

Favorites 0GitHub 0

detecting-credential-dumping-techniques

by mukul975

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

Security Audit

Favorites 0GitHub 0

collecting-threat-intelligence-with-misp

by mukul975

The collecting-threat-intelligence-with-misp skill helps you collect, normalize, search, and export threat intelligence in MISP. Use this collecting-threat-intelligence-with-misp guide for feeds, PyMISP workflows, event filtering, warninglist reduction, and practical collecting-threat-intelligence-with-misp for Threat Modeling and CTI operations.

Threat Modeling

Favorites 0GitHub 0

analyzing-threat-intelligence-feeds

by mukul975

Analyzing-threat-intelligence-feeds helps you ingest CTI feeds, normalize indicators, assess feed quality, and enrich IOCs for STIX 2.1 workflows. This analyzing-threat-intelligence-feeds skill is built for threat intel operations and Data Analysis, with practical guidance for TAXII, MISP, and commercial feeds.

Data Analysis

Favorites 0GitHub 0

cosmos-vulnerability-scanner

by trailofbits

cosmos-vulnerability-scanner finds consensus-critical bugs in Cosmos SDK modules, CosmWasm contracts, IBC integrations, and Cosmos EVM stacks. Use this cosmos-vulnerability-scanner guide for security audit workflows, chain-halt risks, fund-loss paths, and pre-launch reviews.

Security Audit

Favorites 0GitHub 4.9k

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

detecting-email-forwarding-rules-attack

by mukul975

The detecting-email-forwarding-rules-attack skill helps Security Audit, threat hunting, and incident response teams find malicious mailbox forwarding rules used for persistence and email collection. It guides analysts through Microsoft 365 and Exchange evidence, suspicious rule patterns, and practical triage for forwarding, redirect, delete, and hide behaviors.

Security Audit

Favorites 0GitHub 0

analyzing-ios-app-security-with-objection

by mukul975

The analyzing-ios-app-security-with-objection skill helps authorized testers run runtime iOS app security checks with Objection and Frida. Use it to review keychain exposure, filesystem storage, cookies, SSL pinning, jailbreak detection, and other client-side defenses during a Security Audit. Includes workflow guidance, install steps, and practical usage notes.

Security Audit

Favorites 0GitHub 0

analyzing-heap-spray-exploitation

by mukul975

analyzing-heap-spray-exploitation helps analyze heap spray exploitation in memory dumps with Volatility3. It identifies NOP sled patterns, suspicious large allocations, shellcode landing zones, and process VAD evidence for Security Audit, malware triage, and exploit validation.

Security Audit

Favorites 0GitHub 0

detecting-supply-chain-attacks-in-ci-cd

by mukul975

detecting-supply-chain-attacks-in-ci-cd skill for auditing GitHub Actions and CI/CD configs. It helps find unpinned actions, script injection, dependency confusion, secret exposure, and risky permissions for Security Audit workflows. Use it to review a repo, workflow file, or suspicious pipeline change with clear findings and fixes.

Security Audit

Favorites 0GitHub 0

detecting-api-enumeration-attacks

by mukul975

detecting-api-enumeration-attacks helps Security Audit teams detect API probing, BOLA, and IDOR by analyzing sequential IDs, 404 bursts, authorization failures, and docs discovery paths. It is built for log-driven detection guidance, rule drafting, and practical review of API abuse patterns.

Security Audit

Favorites 0GitHub 0