AgentSkillsCN

security-threat-modeling

针对系统威胁的资产、边界与滥用路径建模的专项工作流程。当安全控制、滥用路径分析或漏洞修复是核心关注点时使用;切勿用于非安全性的质量优化。

SKILL.md
--- frontmatter
name: security-threat-modeling
description: Specialized workflow for asset, boundary, and abuse-path modeling for system threats. Use when security controls, abuse-path analysis, or vulnerability treatment are central; do not use for non-security quality optimization.

Security Threat Modeling

Trigger Boundary

  • Use when security controls, abuse paths, or compliance obligations must be defined.
  • Do not use for non-security product prioritization; use requirement or roadmap skills.
  • Do not use for purely aesthetic UI decisions.

Goal

Reduce exploitable risk with verifiable security controls.

Inputs

  • Change scope and risk profile
  • Domain evidence for asset, boundary, and abuse-path modeling for system threats
  • Operational, compliance, and rollout constraints

Outputs

  • Threat model with prioritized mitigations
  • Decision log for asset, boundary, and abuse-path modeling for system threats
  • Verification checklist with measurable pass-fail criteria

Workflow

  1. Clarify outcomes and hard constraints for asset, boundary, and abuse-path modeling for system threats.
  2. Produce options and select an approach for asset, boundary, and abuse-path modeling for system threats.
  3. Evaluate trade-offs across security, performance, operability, and maintainability.
  4. Verify decisions using mitigation coverage review for top abuse scenarios.
  5. Publish decisions, residual risks, and accountable follow-up actions.

Quality Gates

  • Scope and assumptions for asset, boundary, and abuse-path modeling for system threats are explicit and reviewable.
  • Decision rationale is backed by evidence instead of preference.
  • Rollout and rollback criteria are defined when production impact exists.
  • Residual risks have owners, due dates, and verification steps.

Failure Handling

  • Stop when high-impact threats lack mitigations or owners.
  • Escalate when accepted risk exceeds team policy thresholds.