security-threat-model

What it is

A process guide for generating repository-specific threat models. The skill defines a 7-step workflow that produces a Markdown threat model document containing trust boundaries, assets, attacker capabilities, abuse paths, mitigations, and priority rankings. It is designed to be triggered only when a user explicitly requests threat modeling of a codebase.

What we observed

Composite score: 4.8/5.0. All dimensions scored 5.0 except D5 reusability at 4.0. Test harness results: 1 pass, 0 partial, 1 fail. The install check passed with "No requirements.txt in SKILL.md; assuming no external dependencies beyond Python standard library." The smoke-invocation check failed: "SKILL.md describes a workflow but does not provide a Python module or CLI entry point; no executable code to invoke." The harness explicitly states "SKILL.md is a process guide, not an executable skill."

Where it wins

D1 trigger clarity scored 5.0. The trigger conditions are sharply defined: "Trigger only when the user explicitly asks to threat model a codebase or path, enumerate threats/abuse paths, or perform AppSec threat modeling. Do not trigger for general architecture summaries, code review, or non-security design work." This eliminates false triggers on unrelated security discussions. D2 output specificity and D3 scope precision also scored 5.0, with the skill requiring evidence-anchored claims and explicit exclusion of out-of-scope items.

Where it falls short

D5 reusability scored 4.0, the only dimension below perfect. The skill is a workflow document with no executable code—no Python module, no CLI entry point, no programmatic interface. The harness confirmed this with a failed smoke-invocation test. Users cannot run, install, or integrate this skill into automated pipelines. It requires manual execution of each step. The workflow references external files (references/prompt-template.md) that must exist in the repository, creating a dependency chain not resolved within the skill itself.

Bottom line

A well-scoped, precisely triggered process guide that scores near-perfect on clarity and specificity. The lack of executable code limits it to manual use only, preventing automation and integration. Recommend for teams doing manual threat modeling; skip for automated security workflows.

Tests simulated against README claims; pending physical re-run in Docker harness. Ran 2026-06-03.

Overall: partial. 1 test passed, 0 partial, 1 failed; key blocker: SKILL.md is a process guide, not an executable skill; no code to run.

Inferred dependencies: python>=3.10.

Test	Status	Notes
install	pass	No requirements.txt in SKILL.md; assuming no external dependencies beyond Python standard library.
smoke-invocation	fail	SKILL.md describes a workflow but does not provide a Python module or CLI entry point; no executable code to invoke.