返回 Skill 列表
extension
分类: 开发与工程无需 API Key

threat-model-generation

使用Bug Hunter原生工件为当前仓库生成或刷新基于STRIDE的威胁模型。在仓库尚无威胁模型、架构发生实质性变化、安全审查需要新的信任边界上下文,或者用户明确要求威胁模型时使用。

person作者: jakexiaohubgithub

Threat Model Generation

This is a bundled local Bug Hunter companion skill. It generates portable threat-model artifacts under .bug-hunter/.

Purpose

Create the security context that the other security skills depend on:

  • trust boundaries
  • major components
  • STRIDE threats
  • vulnerability pattern library
  • severity/config defaults

Required outputs

Write:

  • .bug-hunter/threat-model.md
  • .bug-hunter/security-config.json

Workflow

  1. Read .bug-hunter/triage.json if available for file structure and domain hints.
  2. Inspect the repository to identify:
    • languages and frameworks
    • public/authenticated/internal entry points
    • data stores and external integrations
    • sensitive assets and trust boundaries
  3. Generate a concise STRIDE threat model.
  4. Generate a matching security config with thresholds and tech-stack metadata.

Existing implementation hooks

Bug Hunter already has a native prompt for this capability:

  • prompts/threat-model.md

Prefer reusing that prompt structure and artifact conventions rather than inventing a second format.

Output rules

  • Keep the threat model short enough for downstream agents to consume.
  • Be specific about trust boundaries and vulnerable code patterns.
  • Keep all artifacts under .bug-hunter/, never .factory/.