Skip to content

ai-assistant: docs/skills: Add skills STRIDE threat model#888

Open
illume wants to merge 1 commit into
headlamp-k8s:mainfrom
illume:docs/ai-assistant-skills-threat-model
Open

ai-assistant: docs/skills: Add skills STRIDE threat model#888
illume wants to merge 1 commit into
headlamp-k8s:mainfrom
illume:docs/ai-assistant-skills-threat-model

Conversation

@illume

@illume illume commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Adds docs/skills/skills-stride-threat-model.md — a STRIDE threat model for the skills subsystem, covering skill loading, path traversal, and prompt-injection risks with mitigations.

Assisted by Copilot.

Part of the ai-assistant skills documentation series.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a STRIDE threat model document intended to capture security risks and mitigations for an AI “skills” subsystem, focusing on threats like prompt injection, path traversal, and untrusted remote content.

Changes:

  • Adds a new threat model document covering STRIDE categories for the skills system.
  • Includes a system overview (components, data flow, trust boundaries) and a prioritized mitigation plan.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +1 to +3
# STRIDE Threat Model: Headlamp AI Skills System

## 1. System Overview
@illume illume force-pushed the docs/ai-assistant-skills-threat-model branch 2 times, most recently from 2c9a7a6 to 053df35 Compare July 8, 2026 11:52
@illume illume requested review from ashu8912 and Copilot July 8, 2026 11:54

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comment on lines +5 to +9
The skills system loads Markdown documents ("skills") and injects them into the AI assistant's system prompt. Skills come from:

1. **Local directories** — files on disk (configured paths or well-known project directories)
2. **Auto-discovered project directories** — `.github/skills/`, `.github/instructions/`, `.claude/skills/`, `skills/` scanned automatically when a project is opened
3. **Remote Git repositories** — GitHub zip archives downloaded over HTTPS
STRIDE threat model for the skills subsystem.

Covers threats that arise from loading, parsing, and injecting untrusted skill
content into the LLM system prompt:

- Spoofing / tampering: malicious skill files served from a compromised HTTP
  source; mitigated by configurable source allowlists and content-length limits.
- Path traversal: zip-slip during zip extraction; mitigated by path canonicalisation
  in `SkillZipExtractor` before writing any file.
- Information disclosure: skill content leaking cluster credentials embedded in
  YAML; mitigated by treating skill content as user-visible text, not secrets.
- Denial of service: oversized skill files exhausting memory; mitigated by
  `MAX_ZIP_EXTRACTED_BYTES` and `MAX_ZIP_FILE_COUNT` hard limits.
- Prompt injection: malicious skill content hijacking LLM behaviour; mitigated
  by size budgets and content filtering in `SkillRouter` before injection.

Signed-off-by: René Dudfield <renedudfield@microsoft.com>
Co-authored-by: Ashu Ghildiyal <aghildiyal@microsoft.com>
Signed-off-by: Ashu Ghildiyal <aghildiyal@microsoft.com>
@illume illume force-pushed the docs/ai-assistant-skills-threat-model branch from 053df35 to 8b32509 Compare July 8, 2026 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants