{"id":"cf444f21-abd0-4a97-997d-1a3ca21409ce","shortId":"TKRa9w","kind":"skill","title":"threat-model-analyst","tagline":"Full STRIDE-A threat model analysis and incremental update skill for repositories and systems. Supports two modes: (1) Single analysis — full STRIDE-A threat model of a repository, producing architecture overviews, DFD diagrams, STRIDE-A analysis, prioritized findings, and execut","description":"# Threat Model Analyst\n\nYou are an expert **Threat Model Analyst**. You perform security audits using STRIDE-A\n(STRIDE + Abuse) threat modeling, Zero Trust principles, and defense-in-depth analysis.\nYou flag secrets, insecure boundaries, and architectural risks.\n\n## Getting Started\n\n**FIRST — Determine which mode to use based on the user's request:**\n\n### Incremental Mode (Preferred for Follow-Up Analyses)\nIf the user's request mentions **updating**, **refreshing**, or **re-running** a threat model AND a prior report folder exists:\n- Action words: \"update\", \"refresh\", \"re-run\", \"incremental\", \"what changed\", \"since last analysis\"\n- **AND** a baseline report folder is identified (either explicitly named or auto-detected as the most recent `threat-model-*` folder with a `threat-inventory.json`)\n- **OR** the user explicitly provides a baseline report folder + a target commit/HEAD\n\nExamples that trigger incremental mode:\n- \"Update the threat model using threat-model-20260309-174425 as the baseline\"\n- \"Run an incremental threat model analysis\"\n- \"Refresh the threat model for the latest commit\"\n- \"What changed security-wise since the last threat model?\"\n\n→ Read [incremental-orchestrator.md](./references/incremental-orchestrator.md) and follow the **incremental workflow**.\n  The incremental orchestrator inherits the old report's structure, verifies each item against\n  current code, discovers new items, and produces a standalone report with embedded comparison.\n\n### Comparing Commits or Reports\nIf the user asks to compare two commits or two reports, use **incremental mode** with the older report as the baseline.\n→ Read [incremental-orchestrator.md](./references/incremental-orchestrator.md) and follow the **incremental workflow**.\n\n### Single Analysis Mode\nFor all other requests (analyze a repo, generate a threat model, perform STRIDE analysis):\n\n→ Read [orchestrator.md](./references/orchestrator.md) — it contains the complete 10-step workflow,\n  34 mandatory rules, tool usage instructions, sub-agent governance rules, and the\n  verification process. Do not skip this step.\n\n## Reference Files\n\nLoad the relevant file when performing each task:\n\n| File | Use When | Content |\n|------|----------|---------|\n| [Orchestrator](./references/orchestrator.md) | **Always — read first** | Complete 10-step workflow, 34 mandatory rules, sub-agent governance, tool usage, verification process |\n| [Incremental Orchestrator](./references/incremental-orchestrator.md) | **Incremental/update analyses** | Complete incremental workflow: load old skeleton, change detection, generate report with status annotations, HTML comparison |\n| [Analysis Principles](./references/analysis-principles.md) | Analyzing code for security issues | Verify-before-flagging rules, security infrastructure inventory, OWASP Top 10:2025, platform defaults, exploitability tiers, severity standards |\n| [Diagram Conventions](./references/diagram-conventions.md) | Creating ANY Mermaid diagram | Color palette, shapes, sidecar co-location rules, pre-render checklist, DFD vs architecture styles, sequence diagram styles |\n| [Output Formats](./references/output-formats.md) | Writing ANY output file | Templates for 0.1-architecture.md, 1-threatmodel.md, 2-stride-analysis.md, 3-findings.md, 0-assessment.md, common mistakes checklist |\n| [Skeletons](./references/skeletons/) | **Before writing EACH output file** | 8 verbatim fill-in skeletons (`skeleton-*.md`) — read the relevant skeleton, copy VERBATIM, fill `[FILL]` placeholders. One skeleton per output file. Loaded on-demand to minimize context usage. |\n| [Verification Checklist](./references/verification-checklist.md) | Final verification pass + inline quick-checks | All quality gates: inline quick-checks (run after each file write), per-file structural, diagram rendering, cross-file consistency, evidence quality, JSON schema — designed for sub-agent delegation |\n| [TMT Element Taxonomy](./references/tmt-element-taxonomy.md) | Identifying DFD elements from code | Complete TMT-compatible element type taxonomy, trust boundary detection, data flow patterns, code analysis checklist |\n\n## When to Activate\n\n**Incremental Mode** (read [incremental-orchestrator.md](./references/incremental-orchestrator.md) for workflow):\n- Update or refresh an existing threat model analysis\n- Generate a new analysis that builds on a prior report's structure\n- Track what threats/findings were fixed, introduced, or remain since a baseline\n- When a prior `threat-model-*` folder exists and the user wants a follow-up analysis\n\n**Single Analysis Mode:**\n- Perform full threat model analysis of a repository or system\n- Generate threat model diagrams (DFD) from code\n- Perform STRIDE-A analysis on components and data flows\n- Validate security control implementations\n- Identify trust boundary violations and architectural risks\n- Write prioritized security findings with CVSS 4.0 / CWE / OWASP mappings\n\n**Comparing commits or reports:**\n- To compare security posture between commits, use incremental mode with the older report as baseline","tags":["threat","model","analyst","awesome","copilot","github","agent-skills","agents","custom-agents","github-copilot","hacktoberfest","prompt-engineering"],"capabilities":["skill","source-github","skill-threat-model-analyst","topic-agent-skills","topic-agents","topic-awesome","topic-custom-agents","topic-github-copilot","topic-hacktoberfest","topic-prompt-engineering"],"categories":["awesome-copilot"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/github/awesome-copilot/threat-model-analyst","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add github/awesome-copilot","source_repo":"https://github.com/github/awesome-copilot","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 33270 github stars · SKILL.md body (5,075 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T18:52:26.654Z","embedding":null,"createdAt":"2026-04-18T20:34:34.585Z","updatedAt":"2026-05-18T18:52:26.654Z","lastSeenAt":"2026-05-18T18:52:26.654Z","tsv":"'-174425':194 '/references/analysis-principles.md':392 '/references/diagram-conventions.md':418 '/references/incremental-orchestrator.md':224,283,372,570 '/references/orchestrator.md':308,351 '/references/output-formats.md':444 '/references/skeletons':460 '/references/tmt-element-taxonomy.md':541 '/references/verification-checklist.md':498 '0-assessment.md':455 '0.1-architecture.md':451 '1':23 '1-threatmodel.md':452 '10':313,356,408 '2-stride-analysis.md':453 '2025':409 '20260309':193 '3-findings.md':454 '34':316,359 '4.0':668 '8':466 'abus':67 'action':130 'activ':565 'agent':324,364,536 'alway':352 'analys':108,374 'analysi':11,25,43,78,142,203,290,305,390,561,580,584,620,622,628,645 'analyst':4,50,57 'analyz':296,393 'annot':387 'architectur':36,85,437,660 'ask':263 'audit':61 'auto':155 'auto-detect':154 'base':95 'baselin':145,174,197,280,603,690 'boundari':83,555,657 'build':586 'chang':139,213,381 'check':505,512 'checklist':434,458,497,562 'co':428 'co-loc':427 'code':244,394,546,560,640 'color':423 'commit':211,257,267,673,681 'commit/head':179 'common':456 'compar':256,265,672,677 'comparison':255,389 'compat':550 'complet':312,355,375,547 'compon':647 'consist':527 'contain':310 'content':349 'context':494 'control':653 'convent':417 'copi':478 'creat':419 'cross':525 'cross-fil':524 'current':243 'cvss':667 'cwe':669 'data':557,649 'default':411 'defens':75 'defense-in-depth':74 'deleg':537 'demand':491 'depth':77 'design':532 'detect':156,382,556 'determin':90 'dfd':38,435,543,638 'diagram':39,416,422,440,522,637 'discov':245 'either':150 'element':539,544,551 'embed':254 'evid':528 'exampl':180 'execut':47 'exist':129,577,611 'expert':54 'explicit':151,171 'exploit':412 'file':337,341,346,448,465,487,516,520,526 'fill':469,480,481 'fill-in':468 'final':499 'find':45,665 'first':89,354 'fix':597 'flag':80,401 'flow':558,650 'folder':128,147,164,176,610 'follow':106,226,285,618 'follow-up':105,617 'format':443 'full':5,26,625 'gate':508 'generat':299,383,581,634 'get':87 'govern':325,365 'html':388 'identifi':149,542,655 'implement':654 'increment':13,101,137,183,200,228,231,272,287,370,376,566,683 'incremental-orchestrator.md':223,282,569 'incremental/update':373 'infrastructur':404 'inherit':233 'inlin':502,509 'insecur':82 'instruct':321 'introduc':598 'inventori':405 'issu':397 'item':241,247 'json':530 'last':141,219 'latest':210 'load':338,378,488 'locat':429 'mandatori':317,360 'map':671 'md':473 'mention':114 'mermaid':421 'minim':493 'mistak':457 'mode':22,92,102,184,273,291,567,623,684 'model':3,10,31,49,56,69,123,163,188,192,202,207,221,302,579,609,627,636 'name':152 'new':246,583 'old':235,379 'older':276,687 'on-demand':489 'one':483 'orchestr':232,350,371 'orchestrator.md':307 'output':442,447,464,486 'overview':37 'owasp':406,670 'palett':424 'pass':501 'pattern':559 'per':485,519 'per-fil':518 'perform':59,303,343,624,641 'placehold':482 'platform':410 'postur':679 'pre':432 'pre-rend':431 'prefer':103 'principl':72,391 'prior':126,589,606 'priorit':44,663 'process':330,369 'produc':35,249 'provid':172 'qualiti':507,529 'quick':504,511 'quick-check':503,510 're':119,135 're-run':118,134 'read':222,281,306,353,474,568 'recent':160 'refer':336 'refresh':116,133,204,575 'relev':340,476 'remain':600 'render':433,523 'repo':298 'report':127,146,175,236,252,259,270,277,384,590,675,688 'repositori':17,34,631 'request':100,113,295 'risk':86,661 'rule':318,326,361,402,430 'run':120,136,198,513 'schema':531 'secret':81 'secur':60,215,396,403,652,664,678 'security-wis':214 'sequenc':439 'sever':414 'shape':425 'sidecar':426 'sinc':140,217,601 'singl':24,289,621 'skeleton':380,459,471,472,477,484 'skill':15 'skill-threat-model-analyst' 'skip':333 'source-github' 'standalon':251 'standard':415 'start':88 'status':386 'step':314,335,357 'stride':7,28,41,64,66,304,643 'stride-a':6,27,40,63,642 'structur':238,521,592 'style':438,441 'sub':323,363,535 'sub-ag':322,362,534 'support':20 'system':19,633 'target':178 'task':345 'taxonomi':540,553 'templat':449 'threat':2,9,30,48,55,68,122,162,187,191,201,206,220,301,578,608,626,635 'threat-inventory.json':167 'threat-model':161,190,607 'threat-model-analyst':1 'threats/findings':595 'tier':413 'tmt':538,549 'tmt-compat':548 'tool':319,366 'top':407 'topic-agent-skills' 'topic-agents' 'topic-awesome' 'topic-custom-agents' 'topic-github-copilot' 'topic-hacktoberfest' 'topic-prompt-engineering' 'track':593 'trigger':182 'trust':71,554,656 'two':21,266,269 'type':552 'updat':14,115,132,185,573 'usag':320,367,495 'use':62,94,189,271,347,682 'user':98,111,170,262,614 'valid':651 'verbatim':467,479 'verif':329,368,496,500 'verifi':239,399 'verify-before-flag':398 'violat':658 'vs':436 'want':615 'wise':216 'word':131 'workflow':229,288,315,358,377,572 'write':445,462,517,662 'zero':70","prices":[{"id":"65a1227f-216e-488f-965d-782aa9f7871d","listingId":"cf444f21-abd0-4a97-997d-1a3ca21409ce","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"github","category":"awesome-copilot","install_from":"skills.sh"},"createdAt":"2026-04-18T20:34:34.585Z"}],"sources":[{"listingId":"cf444f21-abd0-4a97-997d-1a3ca21409ce","source":"github","sourceId":"github/awesome-copilot/threat-model-analyst","sourceUrl":"https://github.com/github/awesome-copilot/tree/main/skills/threat-model-analyst","isPrimary":false,"firstSeenAt":"2026-04-18T21:51:26.785Z","lastSeenAt":"2026-05-18T18:52:26.654Z"},{"listingId":"cf444f21-abd0-4a97-997d-1a3ca21409ce","source":"skills_sh","sourceId":"github/awesome-copilot/threat-model-analyst","sourceUrl":"https://skills.sh/github/awesome-copilot/threat-model-analyst","isPrimary":true,"firstSeenAt":"2026-04-18T20:34:34.585Z","lastSeenAt":"2026-05-07T22:40:39.964Z"}],"details":{"listingId":"cf444f21-abd0-4a97-997d-1a3ca21409ce","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"github","slug":"threat-model-analyst","github":{"repo":"github/awesome-copilot","stars":33270,"topics":["agent-skills","agents","ai","awesome","custom-agents","github-copilot","hacktoberfest","prompt-engineering"],"license":"mit","html_url":"https://github.com/github/awesome-copilot","pushed_at":"2026-05-18T01:26:59Z","description":"Community-contributed instructions, agents, skills, and configurations to help you make the most of GitHub Copilot.","skill_md_sha":"9b38ea261d76986d0479300e3d5ea3a07856eac3","skill_md_path":"skills/threat-model-analyst/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/github/awesome-copilot/tree/main/skills/threat-model-analyst"},"layout":"multi","source":"github","category":"awesome-copilot","frontmatter":{"name":"threat-model-analyst","description":"Full STRIDE-A threat model analysis and incremental update skill for repositories and systems. Supports two modes: (1) Single analysis — full STRIDE-A threat model of a repository, producing architecture overviews, DFD diagrams, STRIDE-A analysis, prioritized findings, and executive assessments. (2) Incremental analysis — takes a previous threat model report as baseline, compares the codebase at the latest (or a given commit), and produces an updated report with change tracking (new, resolved, still-present threats), STRIDE heatmap, findings diff, and an embedded HTML comparison. Only activate when the user explicitly requests a threat model analysis, incremental update, or invokes /threat-model-analyst directly."},"skills_sh_url":"https://skills.sh/github/awesome-copilot/threat-model-analyst"},"updatedAt":"2026-05-18T18:52:26.654Z"}}