PlaygroundCatalog › Threat Model
TM

Threat Model

🔵 Stable🕐 updated 2026-07-01 🔷 SkillSpec L3 pm-security

Threat-model a system or feature to find where it could be attacked, before you build it. Use when asked to threat-model, do a security design review, identify attack surface, or apply STRIDE to a design. Produces a structured threat model: assets, trust boundaries and data flows, threats enumerated by category (STRIDE), and prioritized mitigations. Defensive security for systems you own or are authorized to assess.

▶ Run it free — no key needed 📝 Grade your existing draft View SKILL.md ↗

What to give it

The system / feature — what it does, its components, and how data flows through it.
Assets — what's worth protecting (data, credentials, funds, availability, reputation).
Trust boundaries — where control changes hands (internet↔app, app↔DB, tenant↔tenant, user roles).
Actors & entry points — users, admins, services, third parties; APIs, inputs, uploads, auth.

✅ The bar it holds itself to

Every skill in this library self-verifies — these are this skill's own quality checks, straight from its definition.

Assets and trust boundaries are explicit; the data-flow view makes the attack surface visible
Threats are enumerated across all STRIDE categories (or a category is skipped with a stated reason)
Each significant threat is rated by likelihood × impact and prioritized
Top threats have concrete, placed mitigations — and accepted residual risk is named
Trust assumptions and out-of-scope areas are stated

⚠️ What it refuses to do

Do not list generic threats — tie each to a specific boundary/data-flow in this system
Do not skip categories silently — at least consider each STRIDE class
Do not rate everything "high" — prioritize by realistic likelihood × impact
Do not propose vague mitigations ("add security") — name the specific control and where it lives
Do not model an attack on a system you don't own or aren't authorized to assess

Install

npx pm-claude-skills add --agent claude   # or codex · cursor · gemini · hermes
# or one-line MCP (every skill, any client):
claude mcp add pm-skills -- npx -y pm-claude-skills-mcp

Related skills

🔌 Embed this skill

Drop this on your blog, docs, or site — it renders a "Run this skill" card:

<div data-pm-skill="threat-model"></div>
<script src="https://mohitagw15856.github.io/pm-claude-skills/embed.js" async></script>

💬 Discussion

Threat Model is one of 599 open-source professional AI agent skills — all SkillSpec L3. Try them all in the browser · ⭐ Star on GitHub · Browse the full catalog