{"id":"cf444f21-abd0-4a97-997d-1a3ca21409ce","shortId":"TKRa9w","kind":"skill","title":"Threat Model Analyst","tagline":"Awesome Copilot skill by Github","description":"# Threat Model Analyst\n\nYou are an expert **Threat Model Analyst**. You perform security audits using STRIDE-A\n(STRIDE + Abuse) threat modeling, Zero Trust principles, and defense-in-depth analysis.\nYou flag secrets, insecure boundaries, and architectural risks.\n\n## Getting Started\n\n**FIRST — Determine which mode to use based on the user's request:**\n\n### Incremental Mode (Preferred for Follow-Up Analyses)\nIf the user's request mentions **updating**, **refreshing**, or **re-running** a threat model AND a prior report folder exists:\n- Action words: \"update\", \"refresh\", \"re-run\", \"incremental\", \"what changed\", \"since last analysis\"\n- **AND** a baseline report folder is identified (either explicitly named or auto-detected as the most recent `threat-model-*` folder with a `threat-inventory.json`)\n- **OR** the user explicitly provides a baseline report folder + a target commit/HEAD\n\nExamples that trigger incremental mode:\n- \"Update the threat model using threat-model-20260309-174425 as the baseline\"\n- \"Run an incremental threat model analysis\"\n- \"Refresh the threat model for the latest commit\"\n- \"What changed security-wise since the last threat model?\"\n\n→ Read [incremental-orchestrator.md](./references/incremental-orchestrator.md) and follow the **incremental workflow**.\n  The incremental orchestrator inherits the old report's structure, verifies each item against\n  current code, discovers new items, and produces a standalone report with embedded comparison.\n\n### Comparing Commits or Reports\nIf the user asks to compare two commits or two reports, use **incremental mode** with the older report as the baseline.\n→ Read [incremental-orchestrator.md](./references/incremental-orchestrator.md) and follow the **incremental workflow**.\n\n### Single Analysis Mode\nFor all other requests (analyze a repo, generate a threat model, perform STRIDE analysis):\n\n→ Read [orchestrator.md](./references/orchestrator.md) — it contains the complete 10-step workflow,\n  34 mandatory rules, tool usage instructions, sub-agent governance rules, and the\n  verification process. Do not skip this step.\n\n## Reference Files\n\nLoad the relevant file when performing each task:\n\n| File | Use When | Content |\n|------|----------|---------|\n| [Orchestrator](./references/orchestrator.md) | **Always — read first** | Complete 10-step workflow, 34 mandatory rules, sub-agent governance, tool usage, verification process |\n| [Incremental Orchestrator](./references/incremental-orchestrator.md) | **Incremental/update analyses** | Complete incremental workflow: load old skeleton, change detection, generate report with status annotations, HTML comparison |\n| [Analysis Principles](./references/analysis-principles.md) | Analyzing code for security issues | Verify-before-flagging rules, security infrastructure inventory, OWASP Top 10:2025, platform defaults, exploitability tiers, severity standards |\n| [Diagram Conventions](./references/diagram-conventions.md) | Creating ANY Mermaid diagram | Color palette, shapes, sidecar co-location rules, pre-render checklist, DFD vs architecture styles, sequence diagram styles |\n| [Output Formats](./references/output-formats.md) | Writing ANY output file | Templates for 0.1-architecture.md, 1-threatmodel.md, 2-stride-analysis.md, 3-findings.md, 0-assessment.md, common mistakes checklist |\n| [Skeletons](./references/skeletons/) | **Before writing EACH output file** | 8 verbatim fill-in skeletons (`skeleton-*.md`) — read the relevant skeleton, copy VERBATIM, fill `[FILL]` placeholders. One skeleton per output file. Loaded on-demand to minimize context usage. |\n| [Verification Checklist](./references/verification-checklist.md) | Final verification pass + inline quick-checks | All quality gates: inline quick-checks (run after each file write), per-file structural, diagram rendering, cross-file consistency, evidence quality, JSON schema — designed for sub-agent delegation |\n| [TMT Element Taxonomy](./references/tmt-element-taxonomy.md) | Identifying DFD elements from code | Complete TMT-compatible element type taxonomy, trust boundary detection, data flow patterns, code analysis checklist |\n\n## When to Activate\n\n**Incremental Mode** (read [incremental-orchestrator.md](./references/incremental-orchestrator.md) for workflow):\n- Update or refresh an existing threat model analysis\n- Generate a new analysis that builds on a prior report's structure\n- Track what threats/findings were fixed, introduced, or remain since a baseline\n- When a prior `threat-model-*` folder exists and the user wants a follow-up analysis\n\n**Single Analysis Mode:**\n- Perform full threat model analysis of a repository or system\n- Generate threat model diagrams (DFD) from code\n- Perform STRIDE-A analysis on components and data flows\n- Validate security control implementations\n- Identify trust boundary violations and architectural risks\n- Write prioritized security findings with CVSS 4.0 / CWE / OWASP mappings\n\n**Comparing commits or reports:**\n- To compare security posture between commits, use incremental mode with the older report as baseline","tags":["threat","model","analyst","awesome","copilot","github"],"capabilities":["skill","source-github","category-awesome-copilot"],"categories":["awesome-copilot"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/github/awesome-copilot/threat-model-analyst","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"install_from":"skills.sh"}},"qualityScore":"0.300","qualityRationale":"deterministic score 0.30 from registry signals: · indexed on skills.sh · published under github/awesome-copilot","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T03:40:34.730Z","embedding":null,"createdAt":"2026-04-18T20:34:34.585Z","updatedAt":"2026-04-22T03:40:34.730Z","lastSeenAt":"2026-04-22T03:40:34.730Z","tsv":"'-174425':155 '/references/analysis-principles.md':353 '/references/diagram-conventions.md':379 '/references/incremental-orchestrator.md':185,244,333,531 '/references/orchestrator.md':269,312 '/references/output-formats.md':405 '/references/skeletons':421 '/references/tmt-element-taxonomy.md':502 '/references/verification-checklist.md':459 '0-assessment.md':416 '0.1-architecture.md':412 '1-threatmodel.md':413 '10':274,317,369 '2-stride-analysis.md':414 '2025':370 '20260309':154 '3-findings.md':415 '34':277,320 '4.0':629 '8':427 'abus':28 'action':91 'activ':526 'agent':285,325,497 'alway':313 'analys':69,335 'analysi':39,103,164,251,266,351,522,541,545,581,583,589,606 'analyst':3,11,18 'analyz':257,354 'annot':348 'architectur':46,398,621 'ask':224 'audit':22 'auto':116 'auto-detect':115 'awesom':4 'base':56 'baselin':106,135,158,241,564,651 'boundari':44,516,618 'build':547 'category-awesome-copilot' 'chang':100,174,342 'check':466,473 'checklist':395,419,458,523 'co':389 'co-loc':388 'code':205,355,507,521,601 'color':384 'commit':172,218,228,634,642 'commit/head':140 'common':417 'compar':217,226,633,638 'comparison':216,350 'compat':511 'complet':273,316,336,508 'compon':608 'consist':488 'contain':271 'content':310 'context':455 'control':614 'convent':378 'copi':439 'copilot':5 'creat':380 'cross':486 'cross-fil':485 'current':204 'cvss':628 'cwe':630 'data':518,610 'default':372 'defens':36 'defense-in-depth':35 'deleg':498 'demand':452 'depth':38 'design':493 'detect':117,343,517 'determin':51 'dfd':396,504,599 'diagram':377,383,401,483,598 'discov':206 'either':111 'element':500,505,512 'embed':215 'evid':489 'exampl':141 'exist':90,538,572 'expert':15 'explicit':112,132 'exploit':373 'file':298,302,307,409,426,448,477,481,487 'fill':430,441,442 'fill-in':429 'final':460 'find':626 'first':50,315 'fix':558 'flag':41,362 'flow':519,611 'folder':89,108,125,137,571 'follow':67,187,246,579 'follow-up':66,578 'format':404 'full':586 'gate':469 'generat':260,344,542,595 'get':48 'github':8 'govern':286,326 'html':349 'identifi':110,503,616 'implement':615 'increment':62,98,144,161,189,192,233,248,331,337,527,644 'incremental-orchestrator.md':184,243,530 'incremental/update':334 'infrastructur':365 'inherit':194 'inlin':463,470 'insecur':43 'instruct':282 'introduc':559 'inventori':366 'issu':358 'item':202,208 'json':491 'last':102,180 'latest':171 'load':299,339,449 'locat':390 'mandatori':278,321 'map':632 'md':434 'mention':75 'mermaid':382 'minim':454 'mistak':418 'mode':53,63,145,234,252,528,584,645 'model':2,10,17,30,84,124,149,153,163,168,182,263,540,570,588,597 'name':113 'new':207,544 'old':196,340 'older':237,648 'on-demand':450 'one':444 'orchestr':193,311,332 'orchestrator.md':268 'output':403,408,425,447 'owasp':367,631 'palett':385 'pass':462 'pattern':520 'per':446,480 'per-fil':479 'perform':20,264,304,585,602 'placehold':443 'platform':371 'postur':640 'pre':393 'pre-rend':392 'prefer':64 'principl':33,352 'prior':87,550,567 'priorit':624 'process':291,330 'produc':210 'provid':133 'qualiti':468,490 'quick':465,472 'quick-check':464,471 're':80,96 're-run':79,95 'read':183,242,267,314,435,529 'recent':121 'refer':297 'refresh':77,94,165,536 'relev':301,437 'remain':561 'render':394,484 'repo':259 'report':88,107,136,197,213,220,231,238,345,551,636,649 'repositori':592 'request':61,74,256 'risk':47,622 'rule':279,287,322,363,391 'run':81,97,159,474 'schema':492 'secret':42 'secur':21,176,357,364,613,625,639 'security-wis':175 'sequenc':400 'sever':375 'shape':386 'sidecar':387 'sinc':101,178,562 'singl':250,582 'skeleton':341,420,432,433,438,445 'skill':6 'skip':294 'source-github' 'standalon':212 'standard':376 'start':49 'status':347 'step':275,296,318 'stride':25,27,265,604 'stride-a':24,603 'structur':199,482,553 'style':399,402 'sub':284,324,496 'sub-ag':283,323,495 'system':594 'target':139 'task':306 'taxonomi':501,514 'templat':410 'threat':1,9,16,29,83,123,148,152,162,167,181,262,539,569,587,596 'threat-inventory.json':128 'threat-model':122,151,568 'threats/findings':556 'tier':374 'tmt':499,510 'tmt-compat':509 'tool':280,327 'top':368 'track':554 'trigger':143 'trust':32,515,617 'two':227,230 'type':513 'updat':76,93,146,534 'usag':281,328,456 'use':23,55,150,232,308,643 'user':59,72,131,223,575 'valid':612 'verbatim':428,440 'verif':290,329,457,461 'verifi':200,360 'verify-before-flag':359 'violat':619 'vs':397 'want':576 'wise':177 'word':92 'workflow':190,249,276,319,338,533 'write':406,423,478,623 'zero':31","prices":[{"id":"65a1227f-216e-488f-965d-782aa9f7871d","listingId":"cf444f21-abd0-4a97-997d-1a3ca21409ce","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"github","category":"awesome-copilot","install_from":"skills.sh"},"createdAt":"2026-04-18T20:34:34.585Z"}],"sources":[{"listingId":"cf444f21-abd0-4a97-997d-1a3ca21409ce","source":"github","sourceId":"github/awesome-copilot/threat-model-analyst","sourceUrl":"https://github.com/github/awesome-copilot/tree/main/skills/threat-model-analyst","isPrimary":false,"firstSeenAt":"2026-04-18T21:51:26.785Z","lastSeenAt":"2026-04-22T00:52:18.366Z"},{"listingId":"cf444f21-abd0-4a97-997d-1a3ca21409ce","source":"skills_sh","sourceId":"github/awesome-copilot/threat-model-analyst","sourceUrl":"https://skills.sh/github/awesome-copilot/threat-model-analyst","isPrimary":true,"firstSeenAt":"2026-04-18T20:34:34.585Z","lastSeenAt":"2026-04-22T03:40:34.730Z"}],"details":{"listingId":"cf444f21-abd0-4a97-997d-1a3ca21409ce","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"github","slug":"threat-model-analyst","source":"skills_sh","category":"awesome-copilot","skills_sh_url":"https://skills.sh/github/awesome-copilot/threat-model-analyst"},"updatedAt":"2026-04-22T03:40:34.730Z"}}