Provide structured threat modeling using STRIDE, attack trees, and risk scoring to identify, prioritize, and mitigate security threats in system designs and...
数据来源:ClawHub。 在 ClawSkills 查看
选择你使用的 Agent
方法一:命令行安装(推荐)
推荐(无需提前安装 clawhub)
npx clawhub@latest --dir ~/.claude/skills install threat-modeling或使用 clawhub CLI(需提前安装)
clawhub --dir ~/.claude/skills install threat-modeling⚠️ 需要 Node.js 18+,没有 Node?请使用下方方法二直接下载 ZIP。 安装 Node.js →
方法二:手动下载安装(无需 Node)
下载 ZIP,解压后将文件夹放到以下路径,重启 Agent 即可:
安装路径
~/.claude/skills/threat-modeling/💡解压后将文件夹放到上方路径,重启 Agent 即可生效
Expert in threat modeling methodologies, security architecture review, and risk assessment using STRIDE, PASTA, attack trees, and security requirement extraction.
USE WHEN:
DON'T USE WHEN:
---
[User] → [Web App] → [API Gateway] → [Backend] → [Database]
↓
[External API]Goal: Access Admin Panel
├── Steal admin credentials
│ ├── Phishing
│ ├── Brute force
│ └── Session hijacking
├── Exploit vulnerability
│ ├── SQL injection
│ └── Auth bypass
└── Social engineering
└── Support desk compromiseUse DREAD or CVSS:
Map threats to controls and validate coverage.
What's accepted vs. mitigated.
---
| Component | Spoofing | Tampering | Repudiation | Info Disclosure | DoS | EoP | |-----------|----------|-----------|-------------|-----------------|-----|-----| | Web App | Auth bypass | XSS, CSRF | Missing logs | Error messages | Rate limit | Broken access | | API | Token theft | Input manip | No audit | Data exposure | Resource exhaust | Privilege escalation | | Database | Credential theft | SQL injection | No audit trail | Backup exposure | Connection flood | Direct access |
---
---
| Element | Symbol | Description | |---------|--------|-------------| | External Entity | Rectangle | Users, external systems | | Process | Circle | Application logic | | Data Store | Parallel lines | Database, cache, files | | Data Flow | Arrow | Data movement | | Trust Boundary | Dashed line | Security perimeter |
---
LOW IMPACT HIGH IMPACT
HIGH LIKELIHOOD MEDIUM HIGH
LOW LIKELIHOOD LOW MEDIUM| Factor | Question | |--------|----------| | Damage | How bad if exploited? | | Reproducibility | How easy to reproduce? | | Exploitability | How easy to attack? | | Affected Users | How many impacted? | | Discoverability | How easy to find? |
Score: Sum / 5 = Risk Level
---
---
---
# Threat Model: [System Name]
## Scope
- Components in scope
- Out of scope
## Assets
- Critical assets list
## Trust Boundaries
- Internal vs external
- Admin vs user
## Data Flow Diagram
[DFD here]
## STRIDE Analysis
[Table here]
## Prioritized Threats
1. [High] Description - Mitigation
2. [Medium] Description - Mitigation
## Residual Risks
- Accepted risks with justification
## Review Schedule
- Next review date安装 Threat Modeling Expert 后,可以对 AI 说这些话来触发它
Help me get started with Threat Modeling Expert
Explains what Threat Modeling Expert does, walks through the setup, and runs a quick demo based on your current project
Use Threat Modeling Expert to structured threat modeling using STRIDE, attack trees, and risk sco...
Invokes Threat Modeling Expert with the right parameters and returns the result directly in the conversation
What can I do with Threat Modeling Expert in my finance & investment workflow?
Lists the top use cases for Threat Modeling Expert, with example commands for each scenario
将技能文件夹放到 ~/.claude/skills/threat-modeling/ 目录(个人级,所有项目可用),或 .claude/skills/threat-modeling/(项目级)。重启 AI 客户端后,用 /threat-modeling 主动调用,或让 AI 根据上下文自动发现并使用。
Threat Modeling Expert 支持 Claude、Cursor、OpenClaw,可与这些 AI 平台无缝集成,扩展其能力。
Threat Modeling Expert 可免费安装使用。请查阅仓库了解许可证信息。
Provide structured threat modeling using STRIDE, attack trees, and risk scoring to identify, prioritize, and mitigate security threats in system designs and...
Threat Modeling Expert 属于「Finance & Investment」分类,该分类的技能帮助 AI 智能体在此领域执行专业任务。
Automate my finance & investment tasks using Threat Modeling Expert
Identifies repetitive steps in your workflow and sets up Threat Modeling Expert to handle them automatically