Loop

Concept	Description
Trust boundary	A line where the trust level changes — network edge, auth layer, service-to-service, CI/CD to package registry, or AI agent to local system
Asset	Anything of value to an attacker: user data, credentials, API keys, compute, models, prompts, and developer workstations

Concept	Description
Trust boundary	A line where the trust level changes — network edge, auth layer, service-to-service, CI/CD to package registry, or AI agent to local system
Asset	Anything of value to an attacker: user data, credentials, API keys, compute, models, prompts, and developer workstations

OWASP Threat Modeling · Loop · Loop

Category	Question	Example
Spoofing	Can someone pretend to be another user or service?	Forged JWT, stolen session cookie, or compromised maintainer account publishing packages
Tampering	Can data be modified in transit or at rest?	Unsigned webhook payload, malicious postinstall script in dependency
Repudiation	Can someone deny performing an action?	Missing audit log for admin operations, automated agent actions with no operator approval log
Info Disclosure	Can sensitive data leak to unauthorized parties?	Error messages with stack traces, secret exfiltration via compromised package or agent
Denial of Service	Can the system be made unavailable?	Unbounded query, missing rate limit, botnet-driven DDoS impacting cloud services
Elevation of Privilege	Can someone gain unauthorized access?	Missing RLS, broken RBAC, rogue package introducing a privileged backdoor

Asset	Classification	Storage	Access control
User PII (email, name)	Confidential	Database	RLS + auth
Session tokens	Secret	HTTP-only cookies	Auth provider
API keys	Secret	Env vars / secret manager	Rotation + least privilege
Package lockfile	Integrity artifact	Repo	Signed commits, CI verification
Developer workstation	High-value host	Local	Disk encryption, EDR
ML models / prompts	Confidential/Proprietary	Model registry	ACLs, signed model artifacts

Threat	Category	Likelihood	Impact	Mitigation
Malicious package publish	Tampering/Info Disclosure	Medium	High	Enforce lockfiles, SCA scanning, restrict publishing keys, CI-only installs from curated registries (Snyk advisory)
Postinstall script executes arbitrary code	Tampering	Medium	High	Block/scan lifecycle scripts in CI, require reproducible builds, run installs in ephemeral sandboxed build runners

Threat	Category	Likelihood	Impact	Mitigation
Agent exfiltrates secrets	Info Disclosure	Medium	High	Limit agent scopes, require explicit operator approvals, separate secrets from agent-accessible stores (Krebs)
Agent executes destructive commands	Tampering/DoS	Low/Medium	High	Require manual confirmation for privileged actions, audit logs for agent-initiated operations

Priority	Threat	Mitigation	Effort	Owner
P0	Malicious package postinstall	Enforce lockfiles, CI installs from lockfiles, SCA pipeline	4h	DevOps
P0	Missing RLS on sensitive tables	Add RLS policies + tests	2h	Backend
P0	Unsigned webhooks	Add HMAC verification + timestamp window	4h	Backend
P1	Unrestricted agent automation	Require signed operator approval for agent-initiated privileged ops	8h	Platform

Threat	STRIDE	Risk	Mitigation
User copies skill they don't have access to	Elevation	High	Server-side ownership check + RLS
Copied skill retains original author's identity	Spoofing	Medium	Normalize author_id to copying user
Unlimited copies cause storage exhaustion	DoS	Medium	Rate limit + per-user quota
Copy operation not logged	Repudiation	Low	Audit log on copy with actor_id

Activity

PausedMonday · 9:00 AM5 sources

Automation & run history

Automation status and run history. Only the owner can trigger runs or edit the schedule.

View automation desk

Next runtomorrow

ScheduleMonday · 9:00 AM

Runs this month4

Latest outcomev2

April 2026

Automation brief

Scan OWASP for threat-modeling methodology updates and new attack-tree patterns. Check PortSwigger for novel attack vectors. Monitor Snyk for supply-chain threat intelligence. Update STRIDE/DREAD worksheets and application-boundary diagrams.

Latest refresh trace

Reasoning steps, source results, and the diff that landed.

Apr 6, 2026 · 9:06 AM

triggerAutomation

editoropenai/gpt-5-mini

duration164.1s

statussuccess

web searches4

sources discovered+1

Revision: v2

Updated the OWASP Threat Modeling skill to incorporate 2025–2026 operational threats: supply-chain postinstall attacks (Axios), AI/agent risks, and PortSwigger-identified attack patterns. Added CI/CD and agent trust boundaries, updated STRIDE notes, abuse-path examples, and prioritized mitigations for lockfiles, SCA, and agent controls.

- Added CI/CD, developer workstation, and AI agent trust boundaries; - Inserted supply-chain and package postinstall guidance referencing Snyk (Axios advisory); - Highlighted PortSwigger 2025 attack patterns for modeling prompts; - Updated edge cases to include AI agents and supply-chain spikes; - Expanded asset inventory to include models, prompts, and lockfiles.

Agent steps

Step 1Started scanning 4 sources.

Step 2OWASP: No fresh signals found.

Step 3PortSwigger Research: 12 fresh signals captured.

Step 4Snyk Blog: 5 fresh signals captured.

Step 5Krebs on Security: 10 fresh signals captured.

Step 6Agent is rewriting the skill body from the fetched source deltas.

Step 7Agent discovered 1 new source(s): OWASP Threat Modeling Project.

Step 8Agent used 4 web search(es).

Step 9v2 is live with body edits.

Sources

OWASPdone

No fresh signals found.

PortSwigger Researchdone

12 fresh signals captured.

Top 10 web hacking techniques of 2025 Top 10 web hacking techniques of 2025: call for nominations Document My Pentest: you hack, the AI writes it up!

Snyk Blogdone

5 fresh signals captured.

Building AI Security with Our Customers: 5 Lessons from Evo’s Design Partner Program The 5 Principles of Snyk’s Developer Experience From Discovery to Defense: Why AI Red Teaming Is the Next Step After AI-SPM

Krebs on Securitydone

10 fresh signals captured.

Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab ‘CanisterWorm’ Springs Wiper Attack Targeting Iran Feds Disrupt IoT Botnets Behind Huge DDoS Attacks

Diff preview

# OWASP Threat Modeling

−

Repository-grounded threat modeling methodology that enumerates trust boundaries, builds an asset inventory, applies STRIDE analysis, maps abuse paths, and produces structured mitigation plans. Designed for web applications, APIs, and cloud-native architectures.

Repository-grounded threat modeling methodology that enumerates trust boundaries, builds an asset inventory, applies STRIDE analysis, maps abuse paths, and produces structured mitigation plans. Designed for web applications, APIs, cloud-native architectures, and modern AI-assisted developer workflows.

## When to use

- Designing a new system or major feature before writing code

- Preparing for a security audit or compliance review

- After a security incident to identify overlooked attack vectors

−- Evaluating third-party integrations for risk exposure

+- Evaluating third-party integrations or package dependencies for risk exposure

- When stakeholders ask "what could go wrong?" and need a structured answer

## When NOT to use

+- Hardening existing code (use `security-best-practices` instead)

−- Hardening existing code (use \`security-best-practices\` instead)

+- Implementing specific auth flows (use `auth-patterns` instead)

−- Implementing specific auth flows (use \`auth-patterns\` instead)

- Fixing a known vulnerability with a clear remediation path

- Pure infrastructure/network security without application context

@@ −21 +21 @@

| Concept | Description |

|---------|-------------|

| Trust boundary | A line where the trust level changes — network edge, auth layer, service-to-service, CI/CD to package registry, or AI agent to local system |

−| Trust boundary | A line where the trust level changes — network edge, auth layer, service-to-service |

| Asset | Anything of value to an attacker: user data, credentials, API keys, compute, models, prompts, and developer workstations |

−| Asset | Anything of value to an attacker: user data, credentials, API keys, compute |

| STRIDE | Threat categories: Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation of Privilege |

| Abuse path | A concrete sequence of steps an attacker takes to reach an asset |

| Mitigation | A control that blocks, detects, or limits an abuse path |

| Risk rating | Likelihood × Impact, scored to prioritize remediation |

+| Data flow diagram | Visual map of how data moves across trust boundaries (include CI/CD and agent flows)

−| Data flow diagram | Visual map of how data moves across trust boundaries |

+### STRIDE category reference (notes)

- Treat supply-chain and postinstall script execution as high-risk Tampering/Info-Disclosure vectors when modelling package registries and build systems (see Snyk Axios advisory, Mar 2026).

−### STRIDE category reference

- Model AI/agent capabilities explicitly as assets and privileged actors: agents that can run tools, access files, or automate CI pipelines create new Spoofing, Info Disclosure, and Tampering pathways (Krebs, Mar 2026).

| Category | Question | Example |

|----------|----------|---------|

| **S**poofing | Can someone pretend to be another user or service? | Forged JWT, stolen session cookie, or compromised maintainer account publishing packages |

| **T**ampering | Can data be modified in transit or at rest? | Unsigned webhook payload, malicious postinstall script in dependency |

| **R**epudiation | Can someone deny performing an action? | Missing audit log for admin operations, automated agent actions with no operator approval log |

| **I**nfo Disclosure | Can sensitive data leak to unauthorized parties? | Error messages with stack traces, secret exfiltration via compromised package or agent |

| **D**enial of Service | Can the system be made unavailable? | Unbounded query, missing rate limit, botnet-driven DDoS impacting cloud services |

−| **S**poofing | Can someone pretend to be another user or service? | Forged JWT, stolen session cookie |

| **E**levation of Privilege | Can someone gain unauthorized access? | Missing RLS, broken RBAC, rogue package introducing a privileged backdoor

−| **T**ampering | Can data be modified in transit or at rest? | Unsigned webhook payload, mutable cache |

−| **R**epudiation | Can someone deny performing an action? | Missing audit log for admin operations |

−

| **I**nfo Disclosure | Can sensitive data leak to unauthorized parties? | Error messages with stack traces, verbose API responses |

−| **D**enial of Service | Can the system be made unavailable? | Unbounded query, missing rate limit, regex DoS |

−| **E**levation of Privilege | Can someone gain unauthorized access? | Missing RLS, broken RBAC, IDOR |

## Workflow

Follow a repeatable, light-weight process aligned to the OWASP Threat Modeling Cheat Sheet: decompose the application, identify threats, rank and document mitigations, and validate controls. (OWASP Threat Modeling Cheat Sheet)

### Step 1: Enumerate trust boundaries

−Identify every point where the trust level changes in your system.

+Identify every point where trust changes, including modern additions:

−

−\`\`\`markdown

−## Trust Boundaries

1. **Browser → CDN/Edge** — public internet, untrusted

+2. **Edge → API Routes** — authenticated via JWT/OAuth

−2. **Edge → API Routes** — authenticated via Clerk JWT

+3. **API Routes → Database** — service role key, privileged

−3. **API Routes → Supabase** — service role key, trusted

4. **API Routes → External APIs** — outbound, mixed trust

+5. **CI/CD → Package Registry** — build-time trust (pinning, lockfiles)

+6. **Developer Workstation → Registry** — local installs can introduce malicious postinstall hooks

+7. **AI Agent → Local System / Services** — agents with filesystem, network, or automation permissions

−5. **Cron Jobs → Database** — server-side, privileged

+8. **Webhook Ingress → API Routes** — inbound, signature-verified

−6. **Webhook Ingress → API Routes** — inbound, signature-verified

−\`\`\`

### Step 2: Build an asset inventory

−\`\`\`markdown

+Include traditional assets plus supply-chain and AI-specific assets:

−## Asset Inventory

|-------|---------------|---------|----------------|

−\`\`\`

### Step 3: Apply STRIDE analysis

−For each trust boundary, systematically check each STRIDE category.

+Systematically check each trust boundary. Example additions and explicit mitigations follow.

−\`\`\`markdown

+#### Boundary: CI/CD → Package Registry

−## STRIDE Worksheet

+|--------|----------|------------|--------|------------|

| Malicious package publish | Tampering/Info Disclosure | Medium | High | Enforce lockfiles, SCA scanning, restrict publishing keys, CI-only installs from curated registries (Snyk advisory) |

−### Boundary: Browser → API Routes

Content

OWASP Threat Modeling

When to use

When NOT to use

Core concepts

Content

OWASP Threat Modeling

When to use

When NOT to use

Core concepts

STRIDE category reference (notes)

Workflow

Step 1: Enumerate trust boundaries

Step 2: Build an asset inventory

Step 3: Apply STRIDE analysis

Boundary: CI/CD → Package Registry

Boundary: AI Agent → Local System

Step 4: Map abuse paths

Step 5: Prioritize and plan mitigations

Examples

Example 1: STRIDE worksheet for a new API endpoint

Threat Model: POST /api/skills/copy

Trust boundary: Authenticated user → API → Database

Example 2: Data flow diagram template

Decision tree

Edge cases and gotchas (updated)

Evaluation criteria

Agent docs

Codex — OWASP Threat Modeling

Environment

When this skill is active

Tool usage

Testing expectations

Common failure modes

Output format

Activity

Automation & run history

Latest refresh trace

Research engine

Sources