Summary

This repository provides an AI-native, LLM-driven threat modeling skill for automated software risk analysis. Targeting engineers and security professionals, it offers comprehensive security assessment, threat modeling, security testing, penetration testing, and compliance checking via a code-first approach, aiming to streamline and deepen security evaluations.

How It Works

The skill employs an LLM-driven, code-first methodology. It uses a Subject-Action-Object (SAO) model for systematic threat enumeration and a trust inversion model (SKILL.MD = UNTRUSTED). Leveraging the SM2 state machine from the "Cobweb" system, it enhances security analysis depth and path coverage.

Quick Start & Requirements

Installation involves cloning the repository globally (~/.claude/skills/) or project-locally (.claude/skills/). Prerequisites include the Claude Code CLI, Python 3.10+, and SQLite3. To begin, navigate to your project directory and invoke /threat-modeling to follow the 8-phase workflow. The repository is available at https://github.com/fr33d3m0n/threat-modeling.git.

Highlighted Details

• Full OWASP MCP Top 10 (2025) coverage, aligning with official MCP01:2025-MCP10:2025.
• Features 13 pre-built agent attack chains mapped to MITRE ATT&CK techniques.
• Supports 6 usage modes: complete workflow, KB consultation, vulnerability analysis, test generation, forward integration (design), and backward integration (pentest).
• Offers advanced scenarios for interface/data flow discovery, attack tree/POC generation, Docker test environments, and attack chain visualization.
• Includes an extensive knowledge base: 16 security control domains, 1,900+ threat patterns (CWE/CAPEC/ATT&CK), and 350+ AI/LLM threats.

Maintenance & Community

The README does not detail specific maintenance contributors, sponsorships, or community channels (e.g., Discord, Slack). The project is at version 3.1.0, indicating active development.

Licensing & Compatibility

Licensed under the permissive BSD-3-Clause, allowing for commercial use and integration into closed-source projects without significant copyleft restrictions.

Limitations & Caveats

A primary dependency is the "Claude Code CLI," potentially indicating a specific ecosystem or proprietary interface. As an "AI-native" tool at v3.1.0, it is likely under active development, and users should anticipate evolving stability. No specific unsupported platforms or known bugs are detailed.