Josemlopez Threat Modeling Toolkit
josemlopez-threat-modeling-toolkit is a Claude Code plugin for the Ship phase that runs AI-assisted STRIDE/PASTA threat modeling, compliance mapping, and security verification.
by josemlopez · github.com/josemlopez/threat-modeling-toolkit
Run AI-assisted STRIDE and PASTA threat modeling, map controls to compliance, and verify security claims before you ship sensitive features.
Add it to Claude Code
Install the plugin in Claude Code. One command, paste-ready.
/plugin install josemlopez-threat-modeling-toolkit@josemlopez/threat-modeling-toolkitBuilt to be called by your agent
Skillselion is itself an MCP server. Your agent can pull this entry and a paste-ready install config straight from the API - no copy-paste.
Retrieve this entry with skillselion.get_details("plugin:josemlopez/threat-modeling-toolkit") and the paste-ready config with skillselion.get_install_config("plugin:josemlopez/threat-modeling-toolkit").
What it does
josemlopez-threat-modeling-toolkit is a Claude Code security plugin that helps solo builders and small teams treat threat modeling as a repeatable practice instead of a one-off diagram. The toolkit emphasizes STRIDE and PASTA frameworks, architecture-aware threat discovery, risk analysis, and generating reports you can attach to launch prep or compliance conversations. It also speaks the language of controls, verification, and mapping findings to compliance expectations—useful when you are shipping SaaS, APIs, or internal tools without a dedicated AppSec function. Place it primarily in Ship under security review, but invoke it during Validate when scoping integrations and during Build when backend boundaries are still movable. Expect intermediate complexity: you need enough system context to describe components, trust boundaries, and data flows honestly. One plugin in the repo keeps the surface area focused compared with sprawling security marketplaces.
Highlights
- AI-powered threat modeling toolkit with STRIDE and PASTA framework support.
- Architecture-oriented threat discovery and risk analysis workflows.
- OWASP-aligned analysis patterns and security verification steps.
- Compliance mapping and control-oriented reporting for solo audits.
- Single-plugin bundle focused on comprehensive security modeling—not generic linting.
Why builders use it
Indie builders ship APIs and SaaS without structured threat models, so STRIDE-style risks and compliance gaps surface only after users or auditors ask hard questions.
After install, Claude Code can analyze your architecture, enumerate threats with STRIDE/PASTA, map controls to compliance needs, and produce verification-oriented security reports before release.
At a glance
- Type - Plugin in Security.
- Adoption - 0 installs, 3 stars, 0 votes.
FAQ
Who is josemlopez-threat-modeling-toolkit for?
Claude Code users shipping software who want STRIDE/PASTA-guided threat analysis and compliance-oriented reporting without a large security team.
When should I use josemlopez-threat-modeling-toolkit?
Use it when architecture or scope is stable enough to describe trust boundaries—especially during security review before launch or after major backend changes.
How do I add josemlopez-threat-modeling-toolkit to my agent?
Register the josemlopez/threat-modeling-toolkit repository as a Claude Code plugin, enable the toolkit plugin, then invoke it with your system diagram and data-flow description in session.
Comments
Share how you use josemlopez-threat-modeling-toolkit, gotchas, or tips for other indie builders.
No comments yet - be the first to share how you use it.