SKILL.md
$2b
Examples that trigger incremental mode:
- "Update the threat model using threat-model-20260309-174425 as the baseline"
- "Run an incremental threat model analysis"
- "Refresh the threat model for the latest commit"
- "What changed security-wise since the last threat model?"
→ Read incremental-orchestrator.md and follow the incremental workflow.
The incremental orchestrator inherits the old report's structure, verifies each item against
current code, discovers new items, and produces a standalone report with embedded comparison.
Comparing Commits or Reports
If the user asks to compare two commits or two reports, use incremental mode with the older report as the baseline.
→ Read incremental-orchestrator.md and follow the incremental workflow.
Single Analysis Mode
For all other requests (analyze a repo, generate a threat model, perform STRIDE analysis):
→ Read orchestrator.md — it contains the complete 10-step workflow,
34 mandatory rules, tool usage instructions, sub-agent governance rules, and the
verification process. Do not skip this step.
Reference Files
Load the relevant file when performing each task:
File
Use When
Content
Always — read first
Complete 10-step workflow, 34 mandatory rules, sub-agent governance, tool usage, verification process
Incremental/update analyses
Complete incremental workflow: load old skeleton, change detection, generate report with status annotations, HTML comparison
Analyzing code for security issues
Verify-before-flagging rules, security infrastructure inventory, OWASP Top 10:2025, platform defaults, exploitability tiers, severity standards
Creating ANY Mermaid diagram
Color palette, shapes, sidecar co-location rules, pre-render checklist, DFD vs architecture styles, sequence diagram styles
Writing ANY output file
Templates for 0.1-architecture.md, 1-threatmodel.md, 2-stride-analysis.md, 3-findings.md, 0-assessment.md, common mistakes checklist
Before writing EACH output file
8 verbatim fill-in skeletons (skeleton-*.md) — read the relevant skeleton, copy VERBATIM, fill [FILL] placeholders. One skeleton per output file. Loaded on-demand to minimize context usage.
Final verification pass + inline quick-checks
All quality gates: inline quick-checks (run after each file write), per-file structural, diagram rendering, cross-file consistency, evidence quality, JSON schema — designed for sub-agent delegation
Identifying DFD elements from code
Complete TMT-compatible element type taxonomy, trust boundary detection, data flow patterns, code analysis checklist
When to Activate
Incremental Mode (read incremental-orchestrator.md for workflow):
- Update or refresh an existing threat model analysis
- Generate a new analysis that builds on a prior report's structure
- Track what threats/findings were fixed, introduced, or remain since a baseline
- When a prior
threat-model-*folder exists and the user wants a follow-up analysis
Single Analysis Mode:
- Perform full threat model analysis of a repository or system
- Generate threat model diagrams (DFD) from code
- Perform STRIDE-A analysis on components and data flows
- Validate security control implementations
- Identify trust boundary violations and architectural risks
- Write prioritized security findings with CVSS 4.0 / CWE / OWASP mappings
Comparing commits or reports:
- To compare security posture between commits, use incremental mode with the older report as baseline