Container Runtime Threat Model Generator
by @krishnakumarmahadevan-cmd
Generate container runtime threat models analyzing attack surfaces across container components, images, privileges, network exposure, and security controls....
clawhub install container-runtime-threat-modelπ About This Skill
name: container-runtime-threat-model description: Generate container runtime threat models analyzing attack surfaces across container components, images, privileges, network exposure, and security controls. Use when threat modeling containerized applications, Docker/containerd security review, container escape risk assessment, STRIDE analysis for containers, or cloud-native application security. version: 1.0.0 homepage: https://portal.toolweb.in metadata: openclaw: emoji: "π³" requires: env: - TOOLWEB_API_KEY bins: - curl primaryEnv: TOOLWEB_API_KEY os: - linux - darwin - win32 category: security
Container Runtime Threat Model Generator π³π
Generate comprehensive threat models for containerized applications. Analyzes container components, images, privilege levels, host access, network exposure, security controls (seccomp, AppArmor, admission controllers), data sensitivity, and compliance requirements. Returns STRIDE-based threat analysis, risk scores, attack trees, and prioritized mitigations.
Built by a CISSP/CISM certified security professional at ToolWeb.in
When to Use
Prerequisites
TOOLWEB_API_KEY β Get your API key from portal.toolweb.incurl must be available on the systemCRITICAL: Always Call the API
API Endpoint
POST https://portal.toolweb.in/apis/security/crtmg
Workflow
1. Gather inputs from the user:
Required β Application info:
- app_name β Name of the application (e.g., "payment-service", "web-frontend")
- environment β Environment type (e.g., "production", "staging", "development")
- cloud_provider β Cloud platform (e.g., "AWS", "Azure", "GCP", "On-Premise")
- container_runtime β Container runtime (e.g., "Docker", "containerd", "CRI-O", "Podman")
- orchestrator β Orchestration platform (e.g., "Kubernetes", "ECS", "Docker Swarm", "Nomad", "None")
- components β List of container components. Each requires:
- name β Container/service name (e.g., "api-server", "redis-cache")
- image β Container image (e.g., "nginx:1.25", "node:20-alpine", "custom-app:latest")
- privileged β Runs in privileged mode? (default: false)
- host_network β Uses host networking? (default: false)
- host_pid β Shares host PID namespace? (default: false)
- runs_as_root β Runs as root user? (default: false)
- exposed_ports β Exposed ports (e.g., "80, 443, 8080")
- volumes β Mounted volumes (e.g., "/data, /var/run/docker.sock, /etc/config")
- capabilities β Added Linux capabilities (e.g., "NET_ADMIN, SYS_PTRACE, NET_RAW")
Optional β Security controls:
- image_scanning_enabled β Container image vulnerability scanning? (default: false)
- admission_control_enabled β Admission controller (OPA, Kyverno)? (default: false)
- seccomp_enabled β Seccomp profiles applied? (default: false)
- apparmor_selinux_enabled β AppArmor or SELinux enforced? (default: false)
- read_only_root_fs β Read-only root filesystem? (default: false)
- network_policies_enabled β Network policies in place? (default: false)
- secrets_management β How secrets are managed (e.g., "Vault", "AWS Secrets Manager", "K8s Secrets", "Environment variables", "None")
Optional β Data sensitivity:
- data_classification β Data classification level (e.g., "public", "internal", "confidential", "restricted")
- pii_data β Processes personally identifiable information? (default: false)
- payment_data β Processes payment/financial data? (default: false)
- handles_credentials β Handles authentication credentials? (default: false)
Optional β Compliance:
- compliance_frameworks β Applicable compliance (e.g., "PCI-DSS, SOC2, HIPAA, CIS Benchmarks")
- notes β Additional context
2. Call the API:
curl -s -X POST "https://portal.toolweb.in/apis/security/crtmg" \
-H "Content-Type: application/json" \
-H "X-API-Key: $TOOLWEB_API_KEY" \
-d '{
"app_name": "",
"environment": "",
"cloud_provider": "",
"container_runtime": "",
"orchestrator": "",
"components": [
{
"name": "",
"image": "",
"privileged": false,
"host_network": false,
"host_pid": false,
"runs_as_root": false,
"exposed_ports": "",
"volumes": "",
"capabilities": ""
}
],
"image_scanning_enabled": false,
"admission_control_enabled": false,
"seccomp_enabled": false,
"apparmor_selinux_enabled": false,
"read_only_root_fs": false,
"network_policies_enabled": false,
"secrets_management": "",
"data_classification": "internal",
"pii_data": false,
"payment_data": false,
"handles_credentials": false,
"compliance_frameworks": "",
"notes": ""
}'
3. Present results clearly: - Lead with overall risk score and threat count - Show per-component threat analysis - Highlight critical threats (container escape, privilege escalation) - Present STRIDE categorized threats - List mitigations in priority order
Output Format
π³ Container Runtime Threat Model
ββββββββββββββββββββββββββββββββββApplication: [app_name]
Environment: [environment]
Runtime: [container_runtime] / [orchestrator]
Components: [count]
π Risk Score: [XX/100] β [Critical/High/Medium/Low]
π― Total Threats Identified: [count]
π΄ CRITICAL Threats:
[Container escape, privilege escalation, etc.]
π HIGH Threats:
[Image vulnerabilities, host access, etc.]
π‘ MEDIUM Threats:
[Missing controls, excessive permissions, etc.]
π¦ Per-Component Analysis:
[container1] β Risk: [level]
Threats: [list]
Mitigations: [list]
π‘οΈ STRIDE Summary:
Spoofing: [count] threats
Tampering: [count] threats
Repudiation: [count] threats
Info Disclosure: [count] threats
Denial of Service: [count] threats
Elevation of Privilege: [count] threats
π Priority Mitigations:
1. [Most urgent fix] β Impact: Critical
2. [Next priority] β Impact: High
3. [Next priority] β Impact: Medium
π Threat model generated by ToolWeb.in
Error Handling
TOOLWEB_API_KEY is not set: Tell the user to get an API key from https://portal.toolweb.inExample Interaction
User: "Threat model our payment service β it's a Node.js app running on EKS with Redis cache and PostgreSQL"
Agent flow: 1. Ask: "I'll generate a container threat model. Quick questions: - What images are you using? (e.g., node:20, redis:7, postgres:16) - Do any containers run as root or in privileged mode? - What volumes are mounted? Any docker.sock? - Does the app handle PII or payment data?" 2. User responds with details 3. Call API:
curl -s -X POST "https://portal.toolweb.in/apis/security/crtmg" \
-H "Content-Type: application/json" \
-H "X-API-Key: $TOOLWEB_API_KEY" \
-d '{
"app_name": "payment-service",
"environment": "production",
"cloud_provider": "AWS",
"container_runtime": "containerd",
"orchestrator": "Kubernetes",
"components": [
{"name": "payment-api", "image": "node:20-alpine", "runs_as_root": false, "exposed_ports": "8080", "volumes": "/app/config"},
{"name": "redis-cache", "image": "redis:7-alpine", "runs_as_root": false, "exposed_ports": "6379"},
{"name": "postgres-db", "image": "postgres:16", "runs_as_root": true, "exposed_ports": "5432", "volumes": "/var/lib/postgresql/data"}
],
"image_scanning_enabled": true,
"admission_control_enabled": false,
"seccomp_enabled": false,
"network_policies_enabled": true,
"secrets_management": "AWS Secrets Manager",
"data_classification": "confidential",
"pii_data": true,
"payment_data": true,
"handles_credentials": true,
"compliance_frameworks": "PCI-DSS, SOC2"
}'
4. Present threat model with per-component analysis, STRIDE summary, and priority mitigationsPricing
About
Created by ToolWeb.in β a security-focused MicroSaaS platform with 200+ security APIs, built by a CISSP & CISM certified professional. Trusted by security teams in USA, UK, and Europe and we have platforms for "Pay-per-run", "API Gateway", "MCP Server", "OpenClaw", "RapidAPI" for execution and YouTube channel for demos.
Related Skills
Tips
/var/run/docker.sock) are container escape vectors β always flagβ‘ When to Use
βοΈ Configuration
TOOLWEB_API_KEY β Get your API key from portal.toolweb.incurl must be available on the systemπ Tips & Best Practices
/var/run/docker.sock) are container escape vectors β always flag