tachi-infographics

Domain knowledge for threat infographic generation — infographic specification formats, template-specific section layouts (Baseball Card, System Architecture, Risk Funnel), Gemini API prompt construction rules, and visual design system tokens. Consumed by the threat-infographic agent during specification and image generation.

9 stars

Best use case

tachi-infographics is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Domain knowledge for threat infographic generation — infographic specification formats, template-specific section layouts (Baseball Card, System Architecture, Risk Funnel), Gemini API prompt construction rules, and visual design system tokens. Consumed by the threat-infographic agent during specification and image generation.

Teams using tachi-infographics should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/tachi-infographics/SKILL.md --create-dirs "https://raw.githubusercontent.com/davidmatousek/tachi/main/.claude/skills/tachi-infographics/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/tachi-infographics/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How tachi-infographics Compares

Feature / Agenttachi-infographicsStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Domain knowledge for threat infographic generation — infographic specification formats, template-specific section layouts (Baseball Card, System Architecture, Risk Funnel), Gemini API prompt construction rules, and visual design system tokens. Consumed by the threat-infographic agent during specification and image generation.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# tachi-infographics

Domain knowledge for generating visual threat infographic specifications and images from tachi pipeline output. This skill provides the section format definitions, template-specific rendering rules, Gemini prompt construction guidelines, and visual design tokens that the threat-infographic agent uses to produce presentation-ready infographic specifications.

## Domain Overview

The infographic generation pipeline transforms structured threat model output into two deliverables per template:

1. **Infographic Specification** (`threat-{template-name}-spec.md`) -- A 6-section structured document containing all data points, color coding, layout instructions, and text content needed to render a presentation-ready infographic. This is the primary deliverable.
2. **Infographic Image** (`threat-{template-name}.jpg`) -- A JPEG image rendered from the specification via Gemini API. This is a best-effort deliverable, conditional on API key availability.

The pipeline supports six templates:

| Template | Purpose | Audience |
|----------|---------|----------|
| Baseball Card | Compact risk summary dashboard with donut chart, heat map, and finding cards | Executive overview |
| System Architecture | Annotated architecture diagram with trust zones, attack surface badges, and data flows | Security architects |
| Risk Funnel | 4-tier vertical funnel showing progressive risk reduction through the pipeline | Risk management |
| MAESTRO Stack | Vertical seven-layer stack diagram showing finding counts and highest severities per MAESTRO layer (L1-L7) | CISO / security management |
| MAESTRO Heatmap | Component-by-layer grid with severity coloring at each intersection | Security engineers |
| Executive Architecture | Portrait layered architecture diagram with Critical/High threat callouts, positioned immediately after the Executive Summary in the compiled PDF | CISO / board / executive sponsors |

The first five templates share the same Sections 1-4 format (metadata, risk distribution, coverage heat map, top findings) but have a unique Section 5 (Architecture Threat Overlay) layout. Executive Architecture uses a distinct six-section structure (Metadata, Architecture Layers, Threat Callouts, Severity Distribution, Visual Layout Directives, Gemini Prompt Construction Notes) and is the only template rendered in portrait orientation — see `references/executive-architecture.md` for the full specification.

### Template Shorthands

| Shorthand | Expands To | Description |
|-----------|-----------|-------------|
| `all` | `baseball-card`, `system-architecture`, `risk-funnel`, `executive-architecture` | Generate all four core templates (conditionally extends with MAESTRO templates when MAESTRO data is present) |
| `maestro` | `maestro-stack`, `maestro-heatmap` | Generate both MAESTRO templates sequentially |
| `exec` | `executive-architecture` | Single-template alias (not a compound expansion) |
| `corporate-white` | `baseball-card` | Legacy alias |

When the infographic command receives `maestro` as the template value, it expands to `["maestro-stack", "maestro-heatmap"]` and generates both sequentially. The MAESTRO templates require MAESTRO layer data in threats.md (Feature 084); when MAESTRO data is absent, a graceful empty state is rendered.

The `executive-architecture` template (and its `exec` alias) is distinct from the other templates in two ways: it is rendered in portrait orientation rather than 16:9 landscape, and it uses a six-section structure instead of the shared Sections 1-5 format. When no Critical or High severity findings exist in the threat model, the spec file is still produced but the image is not — see `references/executive-architecture.md` for the full skip behavior specification.

## Data Source Types

The infographic agent consumes one of three data source types, auto-detected by richness:

| Data Source | Risk Label | Score Type | Pipeline Stage |
|-------------|-----------|------------|----------------|
| `compensating-controls` | Residual Risk | Post-control residual scores | After control analysis |
| `risk-scores` | Inherent Risk | Quantitative composite scores | After risk scoring |
| `threats` | Severity | Qualitative severity levels | After threat modeling |

## Loading Table

Reference files are loaded on-demand by the threat-infographic agent at specific workflow phases using the Read tool.

| Reference | File | Load When |
|-----------|------|-----------|
| Infographic Specifications | `references/infographic-specifications.md` | Generating Sections 1-4 of any shared-format template (Baseball Card, System Architecture, Risk Funnel, MAESTRO Stack, MAESTRO Heatmap) |
| Template-Specific Formats | `references/template-specific-formats.md` | Generating Section 5 for any shared-format template |
| Executive Architecture | `references/executive-architecture.md` | Generating the full six-section spec for the `executive-architecture` template (or its `exec` alias) — distinct section structure, portrait orientation, and PDF positioning rules |
| Gemini Prompt Construction | `references/gemini-prompt-construction.md` | Constructing the Gemini API image generation prompt after specification is complete |
| Visual Design System | `references/visual-design-system.md` | Generating Section 6 (Visual Design Directives) and populating template styling for the shared-format templates |

Related Skills

tachi-threat-reporting

9
from davidmatousek/tachi

Domain knowledge for narrative threat report generation — executive summary structure, architecture overview patterns, per-category narrative templates, attack tree construction rules with Mermaid syntax, and reference attack tree examples. Consumed by the threat-report agent during report generation.

tachi-shared

9
from davidmatousek/tachi

Shared reference files consumed by multiple tachi agents. Contains canonical definitions for severity bands, STRIDE+AI categories, and finding format that serve as the single source of truth across the pipeline. Agents Read individual reference files on-demand rather than maintaining inline copies.

tachi-risk-scoring

9
from davidmatousek/tachi

Domain knowledge for quantitative risk scoring — four-dimensional scoring model (CVSS 3.1, exploitability, scalability, reachability), CVSS base vector mappings, composite score formulas, severity band thresholds, and governance field derivation rules. Consumed by the risk-scorer agent during scoring pipeline execution.

tachi-report-assembly

9
from davidmatousek/tachi

Domain knowledge for PDF security report assembly — artifact detection patterns with tier selection rules, Typst data variable contract with type specifications and image path resolution, and brand asset handling with logo location and fallback rules. Consumed by the report-assembler agent during report generation.

tachi-orchestration

9
from davidmatousek/tachi

Domain knowledge for the tachi orchestrator agent: input format detection, DFD classification, trust boundary notation, STRIDE-per-Element dispatch rules, coverage requirements per component type, coverage matrix model, SARIF 2.1.0 generation specification, output schema tables for threats.md, baseline correlation, structural validation checklist, and error handling templates. Loaded on-demand by the orchestrator during specific pipeline phases.

tachi-control-analysis

9
from davidmatousek/tachi

Domain knowledge for compensating controls analysis — control category definitions with detection patterns, evidence criteria with effectiveness classification, and residual risk calculation with recommendation generation. Loaded on-demand by the control-analyzer agent during codebase scanning and risk assessment phases.

~aod-status

9
from davidmatousek/tachi

On-demand backlog snapshot and lifecycle stage summary. Regenerates BACKLOG.md from GitHub Issues and displays item counts per stage. Use this skill when you need to check backlog status, view stage counts, regenerate BACKLOG.md, or get a lifecycle overview.

~aod-spec

9
from davidmatousek/tachi

Validates specification completeness and quality by checking for mandatory sections, [NEEDS CLARIFICATION] markers, testable criteria, and clear scope boundaries. Use this skill when you need to check if spec is complete, validate specifications, review spec.md, or check specification quality. Ensures specifications are ready for architecture and implementation phases.

~aod-score

9
from davidmatousek/tachi

Re-score an existing idea's ICE rating when circumstances change. Use this skill when you need to re-evaluate ideas, update ICE scores, change idea priority, or re-assess deferred ideas.

~aod-run

9
from davidmatousek/tachi

Full lifecycle orchestrator that chains all 6 AOD stages (Discover, Define, Plan, Build, Deliver, Document) with disk-persisted state for session resilience and governance gates at every boundary. Use this skill when you need to run the full lifecycle, orchestrate stages, resume orchestration, or check orchestration status.

~aod-project-plan

9
from davidmatousek/tachi

Validates architecture documentation completeness by checking for technology stack, API specifications, database schema, security architecture, and alignment with feature specification. Use this skill when you need to check if plan.md is complete before implementation, validate architecture documentation, or review technical plans for completeness.

~aod-plan

9
from davidmatousek/tachi

Plan stage orchestrator that runs all three Plan sub-steps (spec → project-plan → tasks) in sequence with governance gates. Stops on rejection, continues through approvals. Use this skill when you need to run the full Plan stage, navigate planning sub-steps, or resume after a rejection.