PluginBench
Skill
Review
Audit score 70

attack-tree-construction

wshobson/agents

How to install attack-tree-construction

npx skills add https://github.com/wshobson/agents --skill attack-tree-construction
Claude Code
Cursor
Windsurf
Cline
Full instructions (SKILL.md)

Source of truth, from wshobson/agents.


name: attack-tree-construction description: Build comprehensive attack trees to visualize threat paths. Use when mapping attack scenarios, identifying defense gaps, or communicating security risks to stakeholders.

Attack Tree Construction

Systematic attack path visualization and analysis.

When to Use This Skill

  • Visualizing complex attack scenarios
  • Identifying defense gaps and priorities
  • Communicating risks to stakeholders
  • Planning defensive investments
  • Penetration test planning
  • Security architecture review

Core Concepts

1. Attack Tree Structure

                    [Root Goal]
                         |
            ┌────────────┴────────────┐
            │                         │
       [Sub-goal 1]              [Sub-goal 2]
       (OR node)                 (AND node)
            │                         │
      ┌─────┴─────┐             ┌─────┴─────┐
      │           │             │           │
   [Attack]   [Attack]      [Attack]   [Attack]
    (leaf)     (leaf)        (leaf)     (leaf)

2. Node Types

TypeSymbolDescription
OROvalAny child achieves goal
ANDRectangleAll children required
LeafBoxAtomic attack step

3. Attack Attributes

AttributeDescriptionValues
CostResources needed$, $$, $$$
TimeDuration to executeHours, Days, Weeks
SkillExpertise requiredLow, Medium, High
DetectionLikelihood of detectionLow, Medium, High

Templates and detailed worked examples

Full template library lives in references/details.md. Read that file when you need concrete templates for this skill.

Best Practices

Do's

  • Start with clear goals - Define what attacker wants
  • Be exhaustive - Consider all attack vectors
  • Attribute attacks - Cost, skill, and detection
  • Update regularly - New threats emerge
  • Validate with experts - Red team review

Don'ts

  • Don't oversimplify - Real attacks are complex
  • Don't ignore dependencies - AND nodes matter
  • Don't forget insider threats - Not all attackers are external
  • Don't skip mitigations - Trees are for defense planning
  • Don't make it static - Threat landscape evolves