TM
Threat Model
🔵 Stable🕐 updated 2026-07-01
🔷 SkillSpec L3
pm-security
Threat-model a system or feature to find where it could be attacked, before you build it. Use when asked to threat-model, do a security design review, identify attack surface, or apply STRIDE to a design. Produces a structured threat model: assets, trust boundaries and data flows, threats enumerated by category (STRIDE), and prioritized mitigations. Defensive security for systems you own or are authorized to assess.
What to give it
▸The system / feature — what it does, its components, and how data flows through it.
▸Assets — what's worth protecting (data, credentials, funds, availability, reputation).
▸Trust boundaries — where control changes hands (internet↔app, app↔DB, tenant↔tenant, user roles).
▸Actors & entry points — users, admins, services, third parties; APIs, inputs, uploads, auth.
✅ The bar it holds itself to
Every skill in this library self-verifies — these are this skill's own quality checks, straight from its definition.
✓Assets and trust boundaries are explicit; the data-flow view makes the attack surface visible
✓Threats are enumerated across all STRIDE categories (or a category is skipped with a stated reason)
✓Each significant threat is rated by likelihood × impact and prioritized
✓Top threats have concrete, placed mitigations — and accepted residual risk is named
✓Trust assumptions and out-of-scope areas are stated
⚠️ What it refuses to do
Do not list generic threats — tie each to a specific boundary/data-flow in this system
Do not skip categories silently — at least consider each STRIDE class
Do not rate everything "high" — prioritize by realistic likelihood × impact
Do not propose vague mitigations ("add security") — name the specific control and where it lives
Do not model an attack on a system you don't own or aren't authorized to assess
Install
npx pm-claude-skills add --agent claude # or codex · cursor · gemini · hermes
# or one-line MCP (every skill, any client):
claude mcp add pm-skills -- npx -y pm-claude-skills-mcp
Related skills
🔌 Embed this skill
Drop this on your blog, docs, or site — it renders a "Run this skill" card:
<div data-pm-skill="threat-model"></div>
<script src="https://mohitagw15856.github.io/pm-claude-skills/embed.js" async></script>
💬 Discussion
Threat Model is one of 599 open-source professional AI agent skills — all SkillSpec L3.
Try them all in the browser · ⭐ Star on GitHub · Browse the full catalog