davidmatousek
UserThreat modeling and AI-reasoning vulnerability detection harness for Claude Code — STRIDE + AI + MAESTRO
Categories
Indexed Skills (29)
aod-foundation
Guided post-init workshop that helps new AOD Kit adopters establish product vision and design identity. Two-part flow: Part 1 (Vision) asks 5 guided questions to populate product-vision.md; Part 2 (Design) browses archetypes to generate brand files (brand.md, tokens.css, anti-patterns.md). Supports --vision and --design flags for partial execution. Use when a developer invokes /aod.foundation after running make init.
aod-lens
Routes to 14 structured thinking methodologies (lenses) for systematic analysis. Use this skill when you need to think through problems, apply thinking lenses, reason through decisions, or perform systematic analysis. Auto-selects appropriate lens based on context - 5 Whys for failures, Pre-Mortem for risks, First Principles for assumptions, Systems Thinking for architecture, Four Causes for understanding, Cargo Cult Detection for validation, Golden Mean for calibration.
aod-orchestrate
Multi-feature orchestration skill that bridges /aod.blueprint output to parallel wave execution. Groups synced GitHub Issues by ICE priority tier (P0/P1/P2) into sequential waves, creates Task records, spawns batch sessions via the orchestrator API, monitors completion, and reports results. Supports --issues (selective), --dry-run (preview), and --yes (skip confirm). Use when a developer invokes /aod.orchestrate to execute multiple features from a blueprint in priority-ordered waves.
aod-stack
Manage stack packs — activate, remove, list, and scaffold technology-specific conventions for AI coding agents. Use when developers want to select a stack, set up conventions, or manage pack lifecycle.
code-execution-helper
Guide for using code execution capabilities to perform parallel batch processing, conditional filtering, and data aggregation. This skill should be used when agents need to analyze multiple files efficiently, validate large result sets, aggregate data from multiple sources, or reduce token consumption through execution-based filtering. Provides reusable templates for quota-aware workflows, error handling patterns, and token-efficient data processing.
git-workflow-helper
Automates git workflow tasks including status checks, branch creation, file staging, conventional commit message generation, and pull request creation with gh CLI. Use this skill when you need to commit changes, create PRs, check git status, create branches, push code, or generate commit messages. Ensures proper git workflow and commit standards.
kb-create
Guided pattern and bug creation with interactive prompts and automatic quality validation. Use this skill when you need to create patterns, document solutions, add KB entries, document bug fixes, save solutions, or create knowledge base entries. Helps users create high-quality KB entries with proper structure, scoring, and categorization. Provides improvement suggestions for entries below quality thresholds.
kb-query
Interactive Knowledge Base search with natural language queries. Use this skill when you need to search KB, find patterns, search knowledge base, look for solutions, find bug fixes, or query institutional knowledge. Searches patterns and bug fixes with relevance ranking, quality scoring, and fuzzy matching for typo tolerance. Helps users find solutions quickly without manual browsing.
root-cause-analyzer
Implements 5 Whys root cause analysis methodology for systematic debugging and problem resolution. Use this skill when you need to find root cause, run 5 whys analysis, analyze recurring problems, or perform systematic debugging. Guides developers through structured analysis, documents findings in institutional knowledge system, and prevents recurring issues.
security
Claude-powered SAST and SCA security scan skill. Invoked automatically as the Security Scan step (Step 7) of /aod.build (after Design Quality Gate, before Code Simplification) or standalone via /security. Analyzes all code files and dependency manifests changed on the feature branch relative to main for OWASP Top 10 vulnerability patterns and known CVE findings. Produces a human-readable security-scan.md report and machine-readable .security/ compliance artifacts (scan-log.jsonl, vulnerabilities.jsonl, SARIF 2.1.0, CycloneDX 1.5 SBOM). Blocks build progression on CRITICAL/HIGH findings with an explicit acknowledgment gate. Use --no-security in /aod.build to skip. Invoke /security directly for standalone analysis outside the build pipeline.
tachi-control-analysis
Domain knowledge for compensating controls analysis — control category definitions with detection patterns, evidence criteria with effectiveness classification, and residual risk calculation with recommendation generation. Loaded on-demand by the control-analyzer agent during codebase scanning and risk assessment phases.
tachi-infographics
Domain knowledge for threat infographic generation — infographic specification formats, template-specific section layouts (Baseball Card, System Architecture, Risk Funnel), Gemini API prompt construction rules, and visual design system tokens. Consumed by the threat-infographic agent during specification and image generation.
tachi-orchestration
Domain knowledge for the tachi orchestrator agent: input format detection, DFD classification, trust boundary notation, STRIDE-per-Element dispatch rules, coverage requirements per component type, coverage matrix model, SARIF 2.1.0 generation specification, output schema tables for threats.md, baseline correlation, structural validation checklist, and error handling templates. Loaded on-demand by the orchestrator during specific pipeline phases.
tachi-report-assembly
Domain knowledge for PDF security report assembly — artifact detection patterns with tier selection rules, Typst data variable contract with type specifications and image path resolution, and brand asset handling with logo location and fallback rules. Consumed by the report-assembler agent during report generation.
tachi-risk-scoring
Domain knowledge for quantitative risk scoring — four-dimensional scoring model (CVSS 3.1, exploitability, scalability, reachability), CVSS base vector mappings, composite score formulas, severity band thresholds, and governance field derivation rules. Consumed by the risk-scorer agent during scoring pipeline execution.
tachi-shared
Shared reference files consumed by multiple tachi agents. Contains canonical definitions for severity bands, STRIDE+AI categories, and finding format that serve as the single source of truth across the pipeline. Agents Read individual reference files on-demand rather than maintaining inline copies.
tachi-threat-reporting
Domain knowledge for narrative threat report generation — executive summary structure, architecture overview patterns, per-category narrative templates, attack tree construction rules with Mermaid syntax, and reference attack tree examples. Consumed by the threat-report agent during report generation.
aod-blueprint
Unified project setup and story generation skill that auto-detects new vs existing projects. Three modes: first-run (creates repo, registers project, activates), subsequent-run (skips setup, adds new stories with deduplication), and demo (loads pre-built Hello World stories). Generates ICE-scored, dependency-ordered stories as GitHub Issues and outputs a consumer guide. Use when a developer invokes /aod.blueprint to bootstrap or extend a project.
aod-bugfix
One-shot governed bug fix loop: diagnose → plan → implement → verify → document. TRIGGER when: user reports a bug, pastes an error message/stack trace/failing test, or asks to fix a bug. Runs 5 Whys root cause analysis, presents confirmation gate before any code changes, implements fix, verifies with tests, and generates KB entry for review.
aod-build
Generate standardized checkpoint reports for multi-phase implementation projects. Use this skill when pausing implementation at strategic milestones (phase completion, user story completion, critical features) to create comprehensive progress reports with task breakdowns, metrics, knowledge base entries, and resume instructions.
aod-deliver
Structured delivery retrospective for the AOD Lifecycle's Deliver stage. Validates Definition of Done, captures delivery metrics (estimated vs. actual duration), logs surprises, feeds new ideas back into discovery via GitHub Issues, and creates Institutional Knowledge entries. Use this skill when you need to close a feature, run a delivery retrospective, capture lessons learned, or complete the AOD lifecycle.
aod-discover
Unified discovery skill with 4 entry points: /aod.discover (full flow: capture + score + validate), /aod.discover --seed (fast-track pre-vetted ideas with auto defaults), /aod.idea (capture + score only), /aod.validate (PM validation for existing idea). Use this skill when you need to capture ideas, run discovery, validate ideas with PM, generate user stories, log feature requests, or add items to the ideas backlog.
aod-kickstart
POC kickstart skill that transforms a project idea into a sequenced consumer guide with 6-10 seed features. Use when a developer invokes /aod.kickstart to generate a consumer guide, when starting a new project and needing a structured backlog plan, or when converting a project idea into seed features for the AOD lifecycle. Three-stage workflow: Idea Intake, Stack Selection, Guide Generation.
aod-plan
Plan stage orchestrator that runs all three Plan sub-steps (spec → project-plan → tasks) in sequence with governance gates. Stops on rejection, continues through approvals. Use this skill when you need to run the full Plan stage, navigate planning sub-steps, or resume after a rejection.
aod-project-plan
Validates architecture documentation completeness by checking for technology stack, API specifications, database schema, security architecture, and alignment with feature specification. Use this skill when you need to check if plan.md is complete before implementation, validate architecture documentation, or review technical plans for completeness.
aod-run
Full lifecycle orchestrator that chains all 6 AOD stages (Discover, Define, Plan, Build, Deliver, Document) with disk-persisted state for session resilience and governance gates at every boundary. Use this skill when you need to run the full lifecycle, orchestrate stages, resume orchestration, or check orchestration status.
aod-score
Re-score an existing idea's ICE rating when circumstances change. Use this skill when you need to re-evaluate ideas, update ICE scores, change idea priority, or re-assess deferred ideas.
aod-spec
Validates specification completeness and quality by checking for mandatory sections, [NEEDS CLARIFICATION] markers, testable criteria, and clear scope boundaries. Use this skill when you need to check if spec is complete, validate specifications, review spec.md, or check specification quality. Ensures specifications are ready for architecture and implementation phases.
aod-status
On-demand backlog snapshot and lifecycle stage summary. Regenerates BACKLOG.md from GitHub Issues and displays item counts per stage. Use this skill when you need to check backlog status, view stage counts, regenerate BACKLOG.md, or get a lifecycle overview.
Bio shown is the top-scored skill's repo description as a fallback — real GitHub bios land in a future update.