Skills Development Enterprise Threat Model Security Analysis

Enterprise Threat Model Security Analysis

v20260707
harness-threat-model
This skill generates an enterprise-grade threat model report using the `harness threat-model` command. It categorizes threats across the MCP surface, providing a detailed report including the overall worst severity (clean, low, medium, high) and specific findings. Ideal for pre-launch security reviews and periodic audits when sharing findings with an InfoSec team.
Get Skill
183 downloads
Overview

The companion to harness-mcp-scan for enterprise security reviews. Where mcp-scan is a per-server static lint, threat-model produces a categorized report suitable for sharing with an InfoSec team.

Algorithm

Implementation: scripts/threat-model.mjs.

  1. Invoke the pinned harness binary (metaharness@~0.3.0, resolved from a local install or the one-time ~/.ruflo/metaharness-cache-<pin> cache — never @latest): harness threat-model <path> --json.
  2. Parse { worst, findings[] }.
  3. --fail-on <severity>: exit 1 when worst >= fail-on. Default high.

Severity rank

Severity Rank
clean 0
low 1
medium 2
high 3

When to use

  • Pre-launch review: include the JSON output in the release-readiness packet sent to security.
  • Periodic audit: schedule via the planned oia-audit background worker (ADR-150 Phase 2) to detect MCP-surface drift.

Graceful degradation

Same pattern as the other skills: when harness is absent, emit { degraded: true } and exit 0. ADR-150 architectural constraint.

Info
Category Development
Name harness-threat-model
Version v20260707
Size 1.42KB
Updated At 2026-07-09
Language