// Use when auditing an authorized website, SaaS, API, AI app, local code path, GitHub repo, staging URL, or owned runtime for security risks, vulnerability checklist scoring, static review, dynamic review, active validation, or Chinese security reports.
Use when a user is stuck in a complex real-world situation with many conflicts, limited resources, unclear priorities, or asks to identify the principal contradiction, secondary contradictions, dominant aspect, breakthrough actions, monitoring thresholds, probability projection, and Markdown/Word/HTML/PDF reports. Triggers on 矛盾论, 主要矛盾, 次要矛盾, 主次矛盾, 卡住了, 优先级混乱, 找关键问题, 资源有限, 冲突很多. Do not use for philosophy-only summaries, Mao text commentary with no live case, generic brainstorming with no diagnosis, or final licensed medical, legal, investment, or psychological-crisis advice.
Use when adding or auditing Yao copyright comment headers for an agent skill package, especially SKILL.md, README.md, references, prompts, templates, examples, scripts, YAML, or TOML files.
当用户需要分析微信读书阅读历史、生成读书报告、可视化阅读统计、笔记、书架、词云、热力图、雷达图,或导出精排 HTML 报告时使用。也适用于创建 AI 创业者示例阅读报告。不用于通用图书推荐,或不生成报告的原始微信读书 API 查询。
Route CEO-facing competition, negotiation, channel, pricing, platform, M&A, financing, competitor-response, alliance, and regulator problems through an applied game-theory framework router when decisions depend on opponent reactions, credible commitments, signals, payoff/equilibrium logic, historical behavior, dynamic updates, or Markdown/HTML/Word/PDF report export. Do not use for textbook tutoring, proofs, gambling, generic brainstorming, or final legal/financial/regulatory advice.
提供专业的代码审查服务,检查代码质量、安全漏洞、性能问题和最佳实践。支持多种编程语言和框架。
构建和维护领域知识图谱,帮助团队整理概念关系、术语定义和知识体系。支持技术、产品、业务等多种知识域。
| name | yao-websecurity-skill |
| description | Use when auditing an authorized website, SaaS, API, AI app, local code path, GitHub repo, staging URL, or owned runtime for security risks, vulnerability checklist scoring, static review, dynamic review, active validation, or Chinese security reports. |
Use when the user gives a local path, archive, GitHub repo, staging URL, or owned runtime and wants a defensive website security audit, vulnerability checklist review, scorecard, remediation plan, static review, dynamic review, active validation, or Excel/HTML/Markdown/PDF report.
Do not use for unauthorized targets, exploit development, credential theft, stealth, malware, third-party public-target scanning, or bypass instructions.
references/security-audit-method.mdreferences/report-contract.mdreferences/review-modes.mdreferences/vulnerability-ontology.csvreferences/scanner-registry.mdstatic.python3 scripts/security_audit_report.py prepare-env --source "<path-or-url>" --workdir "<fresh-temp-workdir>" --project "<name>" --mode "<mode>". Local and GitHub targets must be copied or cloned into this fresh temp directory; never install, build, migrate, write reports, or mutate the original source tree.dynamic-safe, dynamic-active, hybrid, or online-authorized, configure only temporary secrets, test DB, synthetic accounts/data, loopback or isolated containers, OOB endpoint if authorized, and stop conditions. Destructive file operations, DB writes, brute-force resilience, resource pressure, and blind SSRF/OOB tests default to the isolated temp deployment.target-source with rg --files, manifests, routes/API definitions, auth/session modules, data models, configs, Docker/IaC, CI/CD, and AI/LLM integrations. Record unreadable, generated, vendor, or excluded paths.python3 scripts/security_audit_report.py init --project "<name>" --source "<fresh-temp-workdir>/target-source" --mode "<mode>" --intensity "<intensity>" --out "<fresh-temp-workdir>/security_review.json".V001-V275 by observed attack surface. Mark irrelevant items Not Applicable with a short reason; deep-audit only applicable or unclear items, grouped by domain and priority. Do not spend review budget testing vulnerability families that are not represented in the code, framework, runtime, or deployment model.Unclear or Deferred, not Safe.python3 scripts/security_audit_report.py render --review "<workdir>/security_review.json" --out-dir "<workdir>/security-audit-report"..xlsx, .html, .md, and .pdf paths, selected mode, selected risk domains, P0/P1 findings, unclear items, coverage gaps, runtime assumptions, and active-test evidence.Default outputs are 安全审查评分表.xlsx, 安全审查报告.html, 安全审查报告.md, 安全审查报告.pdf, and security_review.sanitized.json, written outside the audited source tree. Report content is Simplified Chinese by default. Excel must use Chinese labels and Chinese row-level interpretations for verdict, evidence, finding, impact, and remediation, while preserving code identifiers and paths as-is. HTML must include a right-side language toggle with Chinese as the default view and English as the alternate view, plus a sticky top navigation menu for major sections. Markdown is generated from the same Chinese scorecard/report content used by Excel. PDF is a Chinese-first browsing copy optimized for quick review and should use browser/HTML print rendering when available for stable typography and page breaks. Follow references/report-contract.md for review-mode, isolation, and presentation standards. Evidence must be sanitized: no plaintext secrets, cookies, reusable tokens, personal data dumps, or destructive proof steps.
scripts/security_audit_report.py: prepare-env/init/extract/render.templates/review-template.json: review shape.evals/: route boundaries.reports/: reference, output-risk, artifact profiles.