Requirements
- Target platform
- OpenClaw
- Install method
- Manual import
- Extraction
- Extract archive
- Prerequisites
- OpenClaw
- Primary doc
- SKILL.md
Tencent SkillHub Β· AI
Threat Modeling Expert
Provide structured threat modeling using STRIDE, attack trees, and risk scoring to identify, prioritize, and mitigate security threats in system designs and...
skill openclawclawhub Free
Provide structured threat modeling using STRIDE, attack trees, and risk scoring to identify, prioritize, and mitigate security threats in system designs and...
β¬ 0 downloads β
0 stars Unverified but indexed
Install for OpenClaw
Quick setup
- Download the package from Yavira.
- Extract the archive and review SKILL.md first.
- Import or place the package into your OpenClaw setup.
Package facts
- Download mode
- Yavira redirect
- Package format
- ZIP package
- Source platform
- Tencent SkillHub
- What's included
- SKILL.md
Validation
- Use the Yavira download entry.
- Review SKILL.md after the package is downloaded.
- Confirm the extracted package contains the expected setup assets.
Install with your agent
Agent handoff
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
New install
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
Upgrade existing
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
Trust & source
Release facts
- Source
- Tencent SkillHub
- Verification
- Indexed source record
- Version
- 1.0.0
Provenance
- Publisher
- brandonwise
- Source page
- View original listing
- Canonical URL
- Open canonical page
Documentation
Threat Modeling Expert
Expert in threat modeling methodologies, security architecture review, and risk assessment using STRIDE, PASTA, attack trees, and security requirement extraction.
Description
USE WHEN: Designing new systems or features (secure-by-design) Reviewing architecture for security gaps Preparing for security audits Identifying attack vectors and threat actors Prioritizing security investments Creating security documentation Training teams on security thinking DON'T USE WHEN: Lack scope or authorization for security review Need legal compliance certification (consult legal) Only need automated scanning (use vulnerability-scanner)
1. Define Scope
System boundaries Assets to protect Trust boundaries Regulatory requirements
2. Create Data Flow Diagram
[User] β [Web App] β [API Gateway] β [Backend] β [Database] β [External API]
3. Identify Assets & Entry Points
Assets: User data, credentials, business logic, infrastructure Entry Points: APIs, forms, file uploads, admin panels
4. Apply STRIDE
Spoofing: Can someone impersonate? Tampering: Can data be modified? Repudiation: Can actions be denied? Information Disclosure: Can data leak? Denial of Service: Can availability be affected? Elevation of Privilege: Can access be escalated?
5. Build Attack Trees
Goal: Access Admin Panel βββ Steal admin credentials β βββ Phishing β βββ Brute force β βββ Session hijacking βββ Exploit vulnerability β βββ SQL injection β βββ Auth bypass βββ Social engineering βββ Support desk compromise
6. Score & Prioritize
Use DREAD or CVSS: Damage potential Reproducibility Exploitability Affected users Discoverability
7. Design Mitigations
Map threats to controls and validate coverage.
8. Document Residual Risks
What's accepted vs. mitigated.
STRIDE Analysis Template
ComponentSpoofingTamperingRepudiationInfo DisclosureDoSEoPWeb AppAuth bypassXSS, CSRFMissing logsError messagesRate limitBroken accessAPIToken theftInput manipNo auditData exposureResource exhaustPrivilege escalationDatabaseCredential theftSQL injectionNo audit trailBackup exposureConnection floodDirect access
Application Layer
Injection (SQL, XSS, command) Broken authentication Sensitive data exposure Broken access control Security misconfiguration Using vulnerable components
Network Layer
Man-in-the-middle Eavesdropping Replay attacks DNS spoofing DDoS
Infrastructure Layer
Unauthorized access Misconfigured services Unpatched systems Weak credentials Exposed admin interfaces
Human Layer
Phishing Social engineering Insider threats Credential sharing
Data Flow Diagram Elements
ElementSymbolDescriptionExternal EntityRectangleUsers, external systemsProcessCircleApplication logicData StoreParallel linesDatabase, cache, filesData FlowArrowData movementTrust BoundaryDashed lineSecurity perimeter
Risk Prioritization Matrix
LOW IMPACT HIGH IMPACT HIGH LIKELIHOOD MEDIUM HIGH LOW LIKELIHOOD LOW MEDIUM
DREAD Scoring (1-10 each)
FactorQuestionDamageHow bad if exploited?ReproducibilityHow easy to reproduce?ExploitabilityHow easy to attack?Affected UsersHow many impacted?DiscoverabilityHow easy to find? Score: Sum / 5 = Risk Level
Input Validation
Whitelist validation Parameterized queries Output encoding Content-Type enforcement
Authentication
MFA where possible Strong password policies Account lockout Secure session management
Authorization
Principle of least privilege Role-based access control Resource ownership checks Regular permission audits
Cryptography
TLS 1.2+ everywhere Strong key management Secure password hashing Encrypted data at rest
Monitoring
Security event logging Anomaly detection Alert thresholds Incident response plan
Best Practices
Involve developers in threat modeling sessions Focus on data flows, not just components Consider insider threats Update models with architecture changes Link threats to security requirements Track mitigations to implementation Review regularly, not just at design time Keep models living documents
Output Template
- # Threat Model: [System Name]
- ## Scope
- Components in scope
- Out of scope
- ## Assets
- Critical assets list
- ## Trust Boundaries
- Internal vs external
- Admin vs user
- ## Data Flow Diagram
- [DFD here]
- ## STRIDE Analysis
- [Table here]
- ## Prioritized Threats
- 1. [High] Description - Mitigation
- 2. [Medium] Description - Mitigation
- ## Residual Risks
- Accepted risks with justification
- ## Review Schedule
- Next review date
Category context
Agent frameworks, memory systems, reasoning layers, and model-native orchestration.
Source: Tencent SkillHub
Largest current source with strong distribution and engagement signals.
Package contents
Included in package
1 Docs
- SKILL.md