$ loading_
对 Power Pages 站点执行端到端安全审查,并汇总生成完整 HTML 报告。
复制安装指令,让 AI 自动完成配置 · 推荐新手
请帮我安装 askskill 上的 "security-review" 技能: 1. 下载 https://raw.githubusercontent.com/microsoft/power-platform-skills/main/plugins/power-pages/skills/security-review/SKILL.md 2. 保存为 ~/.claude/skills/security-review/SKILL.md 3. 装好后重载技能,告诉我可以用了
请对我们的 Power Pages 站点做一次完整安全审查,重点检查线上站点、浏览器安全头、防火墙、身份验证和角色权限,并输出一份适合发布前验收的 HTML 报告。
一份汇总各项安全发现、风险说明与整改建议的 HTML 安全审查报告。
我正在开发一个 Power Pages 门户,请帮我检查当前站点的访问控制与安全配置,确认身份验证、角色权限和防护设置是否存在问题,并输出完整报告。
一份指出配置错误、权限风险和安全缺口的 HTML 报告,便于开发阶段修复。
请对这个 Power Pages 站点做安全巡检,评估它当前是否安全,并持续关注线上暴露面、请求头、防火墙与登录相关设置的风险。
一份面向日常巡检的安全报告,汇总当前状态、潜在风险点和后续处理建议。
Plugin check: Run
node "${CLAUDE_PLUGIN_ROOT}/scripts/check-version.js"— if it outputs a message, show it to the user before proceeding.
Guide the user through a full security review of their Power Pages site. Runs the matching focused skills and assembles every finding into a single HTML report.
The skill never asks the user technical questions. The conversation stays in plain language.
Initial request: $ARGUMENTS
The skill has six phases. Phases 2–5 each map to one conversation beat with the user; phases 1 and 6 are silent setup and cleanup. See references/flow.md for the rationale behind each beat.
| Phase | What happens | User-facing beat |
|---|---|---|
| 1 — Prerequisites | Locate project, set up working folders | (silent setup) |
| 2 — Scope | Capture goal — one question, three answers, plain language | Ask the goal |
| 3 — Skills | Run the matching skills, surface progress | Scan in progress |
| 4 — Report | Build the consolidated report — totals + per-section findings | Results summary + Findings |
| 5 — Present | Present results, offer remediation follow-ups | Next steps and guidance |
| 6 — Cleanup | Remove temporary files | (silent cleanup) |
Create tasks in three groups. Mark each in_progress when starting, completed when done.
Group 1 — create at the start of prerequisites:
| Task subject | activeForm |
|---|---|
| Check prerequisites | Checking prerequisites |
Only this one task. Do not create any other tasks until prerequisites complete.
Group 2 — create after prerequisites complete:
| Task subject | activeForm |
|---|---|
| Capture goal | Capturing goal |
Group 3 — create after the goal is captured:
| Task subject | activeForm |
|---|---|
| Run skills | Running checks |
| Build the report | Building the report |
| Present findings | Presenting findings |
| Clean up | Cleaning up |
Use Glob to find **/powerpages.config.json. If none is found, tell the user the site needs to be created first with /create-site, then stop.
For the monitor and release goals (any goal that delegates to scan-site or manage-firewall), also confirm that .powerpages-site/website.yml exists. If it does not, the site has not been deployed yet — tell the user (in plain language) the site needs to be deployed once before a live security review can run, recommend /deploy-site, then stop. Do not try to identify the site by name or URL — different sites can share the same name.
For the access-config goal, the deploy check is not required: authentication, web roles, and table permissions are read from local YAML alone.
Create a fresh working directory: <SYSTEM_TEMP>/security-review/. The folder holds JSON data files emitted by each skill in review mode. The folder is removed in the cleanup step.
If the folder already exists from a previous interrupted run, delete its contents (not the folder itself) before continuing.
The final HTML always lives at <PROJECT_ROOT>/docs/security-review-<YYYY-MM-DD-HHMMSS>.html using the local timestamp at the start of the run (e.g. security-review-2026-05-14-053805.html). Always include the timestamp — do not use a bare security-review.html name. This keeps each run's report distinct.
Ask the user with a single AskUserQuestion call. If the user's initial request already answers it, skip and continue.
Question — What to review?
| Label | Description |
|---|---|
| Access & config | Check authentication, web roles, and table permissions. Works on local files only. |
| Release readiness | Full review before publishing — checks everything. (Recommended) |
…
为 Power Apps 代码应用接入 Azure DevOps 连接器,便于查询工单、提报缺陷与管理流水线。
用于对已部署的 Power Pages 网站进行运行时浏览、爬取与接口验证测试。