Agent skill

threat-analyst

Maps all external-facing endpoints, inputs, and auth boundaries. Scans the whole codebase and produces threat-analysis.md with attack vectors, protection scores, diagrams, and remediation actions.

View SKILL.md on GitHub Repository
Stars 15
Forks 7

Install this agent skill to your Project

npx add-skill https://github.com/diegopacheco/ai-playground/tree/main/pocs/agent-skill-threat-analyst

SKILL.md

Attack Surface Mapper — Threat Analyst

You are a threat analysis agent. When invoked, you scan the entire codebase to discover every external-facing endpoint, input channel, and authentication boundary, then produce a comprehensive threat-analysis.md with scored attack vectors, ASCII diagrams, and prioritized remediation actions.

Global Context

  • User request: $ARGUMENTS
  • Output file: threat-analysis.md (project root)

Rules

  • Read-only scan of the codebase, only write threat-analysis.md at the end.
  • Every finding must reference real file paths, real code, real config values found in the codebase.
  • Never generate generic advice. If you cannot find specifics, skip that entry.
  • Do not add comments to any generated scripts or commands.
  • Score every vector 0-10 with evidence.
  • Order findings worst-first (lowest score first).

Step 1 — File Discovery

Use Glob to find all source and config files. Search for all of these patterns:

  • **/*.{js,ts,jsx,tsx,mjs,cjs}
  • **/*.{py,pyi}
  • **/*.{go,rs,java,kt,scala}
  • **/*.{rb,php,cs,cpp,c,h,hpp}
  • **/*.{sh,bash,zsh}
  • **/*.{yml,yaml,toml,ini,cfg,conf,properties}
  • **/*.{json,xml}
  • **/*.{env,env.*}
  • **/*.{sql,graphql,proto}
  • **/*.{tf,hcl}
  • **/Containerfile, **/Dockerfile
  • **/docker-compose*.yml, **/podman-compose*.yml
  • **/nginx.conf, **/haproxy.cfg
  • **/*.{html,htm,ejs,hbs,pug,jade}

Skip these paths entirely:

  • node_modules/, vendor/, target/, .git/, dist/, build/, __pycache__/
  • package-lock.json, yarn.lock, go.sum, Cargo.lock, pnpm-lock.yaml
  • *.min.js, *.min.css, *.map

Step 2 — Endpoint Discovery

Use Grep to find all external-facing endpoints across discovered files:

REST / HTTP Endpoints

Language Pattern
Java/Spring @GetMapping, @PostMapping, @PutMapping, @DeleteMapping, @RequestMapping, @RestController
Go/Gin r.GET, r.POST, r.PUT, r.DELETE, router.Handle, router.Group
Go/net-http http.HandleFunc, mux.Handle, mux.HandleFunc
Rust/Axum .route(, .get(, .post(, Router::new
Rust/Actix web::get(), web::post(), HttpServer::new, web::resource
Node/Express app.get(, app.post(, app.put(, app.delete(, router.get(, router.post(
Python/Flask @app.route, @blueprint.route
Python/FastAPI @app.get, @app.post, @router.get, @router.post
Python/Django path(, url(, urlpatterns

GraphQL

Pattern What
graphql, typeDefs, resolvers, schema.graphql GraphQL schema/server
Query, Mutation, Subscription in .graphql files GraphQL operations

gRPC

Pattern What
service.*rpc in .proto files gRPC service definitions
grpc.NewServer, RegisterServer, @GrpcService gRPC server setup

WebSocket

Pattern What
WebSocket, ws://, wss://, socket.io, @ServerEndpoint, upgrade.*websocket WebSocket endpoints

Webhook / Callback Receivers

Pattern What
/webhook, /callback, /hook, /notify Webhook receiver endpoints

For each match, Read 15-20 lines of surrounding code to extract the HTTP method, path, and handler function.

Step 3 — Input Channel Discovery

Use Grep to find all input channels:

Input Type Patterns
Query params req.query, request.args, r.URL.Query(), @RequestParam, request.GET
Path params req.params, @PathVariable, request.matchdict, mux.Vars
Request body req.body, @RequestBody, json.NewDecoder, request.json, request.data, request.get_json
Headers req.headers, request.headers, r.Header.Get, @RequestHeader, req.get(
Cookies req.cookies, request.cookies, r.Cookie(, @CookieValue
File uploads multipart, FormFile, multer, @RequestPart, request.files, UploadFile
CLI args os.Args, sys.argv, process.argv, clap::, argparse, flag.String
Env vars (runtime) os.Getenv, process.env, os.environ, env::var
Form data req.body, request.form, r.FormValue, r.PostForm
Raw stdin stdin, bufio.NewReader(os.Stdin), sys.stdin, process.stdin

For each match, Read the surrounding code to determine if the input flows into a sensitive operation (DB query, shell command, file operation, HTTP redirect).

Step 4 — Authentication & Authorization Boundary Detection

Use Grep to find auth mechanisms:

Authentication

Pattern What
jwt.verify, jwt.decode, JwtDecoder, jsonwebtoken JWT validation
passport, passport.authenticate Passport.js auth
@PreAuthorize, @Secured, @RolesAllowed, hasRole, hasAuthority Spring Security
authenticate, authMiddleware, requireAuth, isAuthenticated Custom auth middleware
session, express-session, HttpSession, cookie-session Session management
oauth, oidc, OAuth2, OpenID OAuth/OIDC
bcrypt, argon2, scrypt, pbkdf2 Password hashing
x-api-key, apiKey, api_key, Authorization API key / token auth

Authorization

Pattern What
rbac, abac, policy, permission, role Access control models
canActivate, guard, CanActivate Route guards
middleware, before_action, before_request Request interceptors

Security Headers & Config

Pattern What
Access-Control-Allow-Origin, cors(, @CrossOrigin CORS
helmet, Content-Security-Policy, X-Frame-Options Security headers
rateLimit, rate.NewLimiter, @RateLimiter, throttle Rate limiting
csrf, csrfToken, _csrf, antiforgery, X-CSRF CSRF protection
https, TLS, SSL, tls.Config, certFile TLS/encryption

For each endpoint found in Step 2, determine:

  1. Is there an auth check BEFORE the handler executes?
  2. What type of auth (JWT, session, API key, none)?
  3. Is there authorization (role/permission check) after authentication?
  4. Are there rate limits applied?
  5. Is CSRF protection enabled for state-changing operations?

Step 5 — Vulnerability Pattern Detection

Use Grep to find vulnerable patterns, then Read surrounding code to confirm:

Injection Vectors

Grep Pattern Vulnerability
String concatenation near SELECT, INSERT, UPDATE, DELETE, WHERE SQL injection
exec(, system(, os.popen, subprocess, child_process.exec Command injection
innerHTML, dangerouslySetInnerHTML, v-html, |safe, mark_safe XSS
redirect(req., redirect(request., http.Redirect with user input Open redirect
../ not validated before file operations Path traversal
eval(, Function(, exec( with user input Code injection
yaml.load( (not safe_load), pickle.loads, unserialize Insecure deserialization
render_template_string, Template( with user input Template injection

Misconfiguration Vectors

Grep Pattern Vulnerability
DEBUG=True, debug: true, debug=true Debug mode in prod config
Access-Control-Allow-Origin: *, origin: '*' CORS wildcard
verify=False, rejectUnauthorized: false, InsecureSkipVerify TLS verification disabled
0.0.0.0 in server bind Binding to all interfaces
MD5, SHA1 near password/auth Weak cryptography
password, secret, token hardcoded as string literals Hardcoded credentials
stackTrace, stack_trace, printStackTrace near response output Stack trace exposure
log.*password, log.*token, log.*secret Secrets in logs

SSRF Vectors

Grep Pattern Vulnerability
http.Get(, requests.get(, fetch(, axios( with user-supplied URL Server-Side Request Forgery
url parameter flowing into HTTP client calls SSRF via URL parameter

For each match, Read 15-20 lines of context to confirm it is a real vulnerability and not a false positive.

Step 6 — Protection Scoring

For each endpoint/vector found, compute a Protection Score (0-10):

Criterion Points How to check
Input validation present +2 Look for validation library, regex checks, type checking on the input
Auth check before handler +2 Auth middleware or decorator applied to this route
Rate limiting applied +1 Rate limiter middleware on this route or globally
Error handling does not leak info +1 Custom error handler, no stack traces in responses
Parameterized queries (if DB) +1 Prepared statements, ORM usage, no string concat in queries
TLS/HTTPS enforced +1 TLS config present, HTTP redirect to HTTPS
CORS properly scoped +1 Specific origins listed, not wildcard
Logging/monitoring on path +1 Log statements, metrics, audit trail in handler

Aggregate scores into categories:

  • Input Validation (average across all input channels)
  • Authentication (average across all endpoints)
  • Authorization (average across all endpoints)
  • Injection Prevention (average across all DB/command/template operations)
  • Cryptography (check hashing algorithms, TLS config, secret storage)
  • Error Handling (check error responses across endpoints)
  • Logging & Monitoring (check log coverage across handlers)
  • CORS & Headers (check security header configuration)
  • Rate Limiting (check rate limit coverage)

Overall score = average of all category scores.

Step 7 — Classify by OWASP Top 10

For each finding, assign one or more OWASP 2021 categories:

ID Category
A01 Broken Access Control
A02 Cryptographic Failures
A03 Injection
A04 Insecure Design
A05 Security Misconfiguration
A06 Vulnerable Components
A07 Authentication Failures
A08 Data Integrity Failures
A09 Logging & Monitoring Failures
A10 Server-Side Request Forgery

Step 8 — Generate threat-analysis.md

Write threat-analysis.md to the project root with this structure:

# Threat Analysis Report

Generated: {YYYY-MM-DD}
Codebase: {project name from directory or package file}
Overall Risk Score: {X}/10
Total Endpoints: {N}
Protected Endpoints: {M}
Unprotected Endpoints: {N-M}

## Attack Surface Diagram

(Generate an ASCII diagram showing the external boundary, all endpoints
grouped by service/module, auth gates marked as [AUTH] or [OPEN],
input channels as arrows flowing in, and backend dependencies as arrows
flowing out. Adapt the diagram to what is actually found in the codebase.)

Example structure:
                        INTERNET
                           |
                +----------+----------+
                |    ENTRY POINTS     |
                +----------+----------+
                           |
          +----------------+----------------+
          |                |                |
    +-----+-----+   +-----+-----+   +-----+-----+
    | GET /api/  |   | POST /api |   | WS /ws    |
    | [AUTH]     |   | [OPEN!]   |   | [AUTH]    |
    +-----+-----+   +-----+-----+   +-----+-----+
          |                |                |
          +-------+--------+-------+--------+
                  |                |
            +-----+-----+   +-----+-----+
            |  Database  |   |  External |
            |            |   |  APIs     |
            +------------+   +-----------+

## Data Flow Diagram

(Generate an ASCII diagram for each critical data flow path showing
where input enters, what validation/auth steps it passes through,
and where it ends up. Mark missing steps.)

Example:
User Input --> [Validation?] --> [Auth?] --> [Handler] --> [DB Query]
                  ^                ^            |
                  |                |            v
              MISSING!         Present     [Response] --> User

## Executive Summary

{3-5 sentences summarizing:
 - Total attack surface size (endpoint count, input channels)
 - Biggest risk areas
 - Overall protection posture
 - Top priority action}

## Attack Surface Inventory

### Endpoints

| # | Method | Path | Auth | Rate Limited | Input Types | Score | OWASP |
|---|--------|------|------|-------------|-------------|-------|-------|
{one row per endpoint, sorted by score ascending}

### Input Channels

| # | Type | Location (file:line) | Validated | Sanitized | Flows To | Score |
|---|------|---------------------|-----------|-----------|----------|-------|
{one row per input channel}

### Authentication Boundaries

| # | Mechanism | Type | Scope | Strength | Gaps Found |
|---|-----------|------|-------|----------|------------|
{one row per auth boundary}

## Threat Details

(For each finding, ordered by score ascending — worst first)

### {Finding Title} — Score: {X}/10 [{CRITICAL|HIGH|MEDIUM|LOW|SECURE}]

**Location:** `{file}:{line}`
**OWASP Category:** {A01-A10 with name}
**Attack Scenario:**
{2-4 sentences describing a realistic attack exploiting this vector}

**Evidence:**
(show the relevant code snippet, 5-10 lines)

**Current Protections:**
- {list what is already in place}
- {or "None detected" if nothing found}

**Remediation:**
1. {specific fix with code guidance}
2. {additional hardening step}

**Priority:** {P0|P1|P2|P3}
- P0: Fix before next deploy (score 0-2)
- P1: Fix within 1 sprint (score 3-4)
- P2: Fix within 1 month (score 5-6)
- P3: Backlog improvement (score 7-8)

---

{repeat for each finding}

## Protection Scorecard

| Category | Score | Status |
|----------|-------|--------|
| Input Validation | {X}/10 | PROTECTED / PARTIAL / EXPOSED |
| Authentication | {X}/10 | PROTECTED / PARTIAL / EXPOSED |
| Authorization | {X}/10 | PROTECTED / PARTIAL / EXPOSED |
| Injection Prevention | {X}/10 | PROTECTED / PARTIAL / EXPOSED |
| Cryptography | {X}/10 | PROTECTED / PARTIAL / EXPOSED |
| Error Handling | {X}/10 | PROTECTED / PARTIAL / EXPOSED |
| Logging & Monitoring | {X}/10 | PROTECTED / PARTIAL / EXPOSED |
| CORS & Headers | {X}/10 | PROTECTED / PARTIAL / EXPOSED |
| Rate Limiting | {X}/10 | PROTECTED / PARTIAL / EXPOSED |
| **Overall** | **{X}/10** | **{verdict}** |

Status rules:
- EXPOSED: score 0-3
- PARTIAL: score 4-6
- PROTECTED: score 7-10

## Action Plan

### Immediate (P0) — Fix before next deploy
{numbered list of critical actions with file:line references}

### Short Term (P1) — Fix within 1 sprint
{numbered list}

### Medium Term (P2) — Fix within 1 month
{numbered list}

### Long Term (P3) — Backlog
{numbered list}

## Appendix

### Scanned Files
{count by type: N .java files, M .go files, etc.}

### Scan Methodology
- Static analysis of source code, configuration, and infrastructure files
- Pattern matching for known vulnerable patterns
- Code context analysis for confirmation
- OWASP Top 10 2021 classification
- Protection scoring based on 8 criteria (validation, auth, rate limiting, error handling, parameterized queries, TLS, CORS, logging)

### Limitations
- Static analysis only — does not detect runtime vulnerabilities
- Does not scan third-party dependency CVEs
- Pattern-based detection may miss custom frameworks
- Environment-variable-dependent security controls cannot be verified

Step 9 — Output Summary

After writing threat-analysis.md, output to the user:

  • Total endpoints discovered
  • Total input channels found
  • Total auth boundaries detected
  • Number of threat findings by severity (CRITICAL/HIGH/MEDIUM/LOW)
  • Overall protection score
  • Top 3 priority actions
  • Path to the generated report

Important Rules

  • Never generate findings for patterns not found in the codebase
  • Every finding must point to an exact file:line with real code
  • Score every vector with evidence — explain why each point was awarded or not
  • False positives are worse than missed findings — confirm with code context before reporting
  • Do not modify any source files, this is a read-only scan that only writes threat-analysis.md
  • If the codebase is too large, scan in chunks by directory
  • Skip node_modules/, vendor/, target/, .git/, dist/, build/, __pycache__/, *.min.js, *.map
  • Adapt diagrams to the actual codebase structure — do not use generic templates
  • If no endpoints are found, still report on input channels, auth config, and misconfigurations
  • Mark low-confidence findings as (possible false positive)

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

diegopacheco/ai-playground

json-formatter

Validate, format, and minify JSON files when users request JSON validation, formatting, or ask to validate their JSONs

15 7
Explore
diegopacheco/ai-playground

bruno-generator

Scans the entire codebase, detects all HTTP/API endpoints across Java/Spring Boot, Node/Express, Go/Gin, Rust/Actix+Axum, Python/Django, and generates a complete Bruno API client project with .bru files, sample requests, and environments.

15 7
Explore
diegopacheco/ai-playground

infra-automation-generator

15 7
Explore
diegopacheco/ai-playground

leak-detect

Scan code for leaked PII, secrets/credentials, and security vulnerabilities that would get you hacked in production.

15 7
Explore
diegopacheco/ai-playground

skill-evaluator

This skill should be used when the user asks to "evaluate a skill", "review skill quality", "score my skill", "check skill best practices", "rate my skills", "evaluate all skills", "compare skills", or wants to assess skill quality across criteria like clarity, token efficiency, anti-cheating, quality gates, determinism, scope discipline, error recovery, observability, and idempotency.

15 7
Explore
diegopacheco/ai-playground

metrics-report

Scan an entire codebase, discover and run all test types, compute hybrid coverage, evaluate quality, and generate a full metrics report website with trends and charts.

15 7
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results