claude-threatmodel
Automated threat modeling for Claude Code
3 skills • 182 lines • ~2K tokens • Minimal context window impact
What This Does
This plugin adds automatic security assessment to Claude Code. When you approve an implementation plan, it runs a threat analysis before code gets written—not weeks later when fixes are expensive.
The key insight: Security review should happen at the moment of intent, not after deployment.
How It Works
The Trigger
When you're in Claude Code and approve a plan (ExitPlanMode), a hook fires automatically. No commands to remember—security assessment just happens.
The Subagent Architecture
Here's what makes this different: threat analysis runs in a subagent, not in your main conversation.
Why does this matter?
| Approach | Context Cost | Analysis Depth |
|---|
| Direct injection | ~2K+ tokens | Limited |
| Subagent (this plugin) | ~200 tokens | Unlimited |
Traditional security tools inject their entire analysis into your conversation, eating up precious context. This plugin spawns a separate agent that:
- Runs
/threatmodel:quick in its own context
- Scans for vulnerabilities
- Returns only a brief summary to your main conversation
- Your context window stays clean for actual work
The Flow
You: "Implement user authentication"
↓
Claude: [Creates plan]
↓
You: [Approve plan] → ExitPlanMode
↓
Hook fires → Subagent spawns
↓
Subagent: Runs /threatmodel:quick
• Scans for hardcoded credentials
• Checks for injection vulnerabilities
• Looks for XSS patterns
• Returns: "Found 2 high risks..."
↓
Claude: Continues with security-aware implementation
Risk-Based Escalation
The quick assessment calculates a risk level:
| Risk Level | What Happens |
|---|
| Critical/High | Recommends /threatmodel:full for complete STRIDE analysis |
| Medium/Low | Shares findings, proceeds with implementation |
You decide whether to run the full analysis. The plugin doesn't block you—it informs you.
The 3 Skills
| Skill | Purpose | When It Runs |
|---|
/threatmodel:quick | Fast risk scan (~30s) | Automatic after plan approval |
/threatmodel:full | Complete STRIDE + compliance | On-demand or when escalated |
/threatmodel:status | Current security posture | Manual check |
What Quick Scans For
- Hardcoded credentials (
password.*=.*["'])
- Code injection (
eval(, exec()
- SQL injection (
query.*+.*req.)
- XSS vulnerabilities (
innerHTML.*=)
What Full Analyzes
- Spoofing - Can attackers impersonate?
- Tampering - Can data be modified?
- Repudiation - Can actions be denied?
- Information Disclosure - Can data leak?
- Denial of Service - Can service be disrupted?
- Elevation of Privilege - Can permissions be gained?
Plus: OWASP Top 10 mapping, SOC2/PCI-DSS compliance checks, baseline snapshots for drift detection.
Installation
Option 1: Plugin Marketplace (Recommended)
/plugin marketplace add josemlopez/claude-threatmodel
/plugin install threatmodel@josemlopez
Done. The plugin includes skills and hooks—no configuration needed.
Option 2: Ask Claude
Just say:
Install the threat modeling plugin from https://github.com/josemlopez/claude-threatmodel
Verify It Works
/threatmodel:status
Or: approve any implementation plan and watch the security assessment run.
Development: Test Locally
git clone https://github.com/josemlopez/claude-threatmodel.git
claude --plugin-dir ./claude-threatmodel
Note: --plugin-dir loads the plugin for that session only.
Advanced: Manual Installation
For shorter skill names (/tm-quick instead of /threatmodel:quick):
cp -r skills/quick ~/.claude/skills/tm-quick
cp -r skills/full ~/.claude/skills/tm-full
cp -r skills/status ~/.claude/skills/tm-status
Then copy hooks from hooks/hooks.json to ~/.claude/settings.json, updating skill references from /threatmodel:quick to /tm-quick.
Technical Details
The Hook
The plugin registers a PostToolUse hook that matches ExitPlanMode:
