Analyze a codebase for threats, abuse paths, and mitigations in Markdown.
This is an open-source, prompt-only skill for repository-grounded threat modeling. The materials show no required secrets, no declared remote endpoints, and no local code execution capability, so the overall risk is low; the main caveat is supply-chain hygiene because the license is undeclared and maintenance status is unknown.
The materials explicitly state that no keys or environment variables are required, and the README does not request API tokens, cloud credentials, or third-party account access. No credential collection, storage, or abuse risk is indicated.
The materials explicitly state that there are no remote endpoint hosts, and the README focuses on generating a threat model from repository evidence. It does not declare sending user code, paths, or analysis results to external services.
The system has already classified it as prompt-only, indicating it is a prompt/process artifact rather than an executable tool. The materials do not describe spawning local processes, running scripts, invoking a shell, or requesting elevated system permissions.
The description mentions threat modeling a codebase or project path, but combined with its prompt-only nature, this reflects the analysis target rather than actual filesystem read/write capability. The materials do not declare direct access to read, modify, or delete local files or databases.
The source is the open-source openai/skills repository on GitHub with strong community adoption (about 22k stars), which are clear risk-reducing signals. However, the license is undeclared and maintenance status is unknown, so it is still prudent to verify project activity and governance before production use.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "security-threat-model" skill from askskill: 1. Download https://raw.githubusercontent.com/openai/skills/main/skills/.curated/security-threat-model/SKILL.md 2. Save it as ~/.claude/skills/security-threat-model/SKILL.md 3. Reload skills and tell me it's ready
Deliver an actionable AppSec-grade threat model that is specific to the repository or a project path, not a generic checklist. Anchor every architectural claim to evidence in the repo and keep assumptions explicit. Prioritizing realistic attacker goals and concrete impacts over generic checklists.
references/prompt-template.md to generate a repository summary.references/prompt-template.md. Use it verbatim when possible.…
Find official OpenAI docs with citations for model choice and prompt upgrades.
Inspect Sentry issues, events, and recent production error health read-only.
Create or update skills that extend Codex with knowledge, workflows, and tools.
Turn Notion specs into implementation plans, tasks, and progress tracking.
Read, create, and review PDFs with layout-aware rendering and extraction tools.
Research across Notion sources and produce cited, structured briefs and reports.
Review security risks for auth, inputs, secrets, APIs, and sensitive features.
Detect prompt injection, look up CVEs, and assess version impact.
Scan Python projects and GitHub repos for vulnerabilities, secrets, and AI risk insights.
Review architecture or code for security risks, vulnerabilities, and compliance issues.
Scan AI coding workflows for code, secrets, dependency, and tool security risks.
Scan code for TODO, FIXME, and XXX markers with prioritized outputs.