Run an end-to-end Power Pages security review with a consolidated HTML report.
The material indicates this skill mainly orchestrates a Power Pages security review workflow, and the objective checks mark it as prompt-only, open-source, with no keys and no remote endpoints. Overall risk is low based on the available facts, but the README includes instructions to run a local node script and use local files/temp directories, so code execution, data access, and supply-chain aspects still warrant caution.
The material and objective checks both indicate no keys or environment variables are required. No token, password, or third-party credential requests are described, so credential exposure risk appears low.
The objective checks list no remote endpoints, and the material does not declare sending data to external services. Although it mentions reviewing the live site, browser headers, and firewall, the provided excerpt does not identify any third-party egress destination.
The README explicitly includes a local command execution instruction: run `node "${CLAUDE_PLUGIN_ROOT}/scripts/check-version.js"`, and it also directs use of Glob, working-directory creation, and invoking other skills. This kind of local execution/orchestration is a normal tool capability, but the host should ensure it only runs within the intended scope.
The material states it will locate `**/powerpages.config.json`, check `.powerpages-site/website.yml`, create a temporary folder at `<SYSTEM_TEMP>/security-review/`, and generate a consolidated HTML report. This implies access to local project configuration and local output generation, with no clear evidence of access beyond the stated purpose.
Positive signals include a GitHub-hosted open-source repository that is auditable. However, adoption is listed as 0 stars, the license is unspecified, maintenance status is unknown, and the material references a plugin-root script and other skills, so supply-chain transparency and ongoing maintenance evidence are limited; review the repository before use.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "security-review" skill from askskill: 1. Download https://raw.githubusercontent.com/microsoft/power-platform-skills/main/plugins/power-pages/skills/security-review/SKILL.md 2. Save it as ~/.claude/skills/security-review/SKILL.md 3. Reload skills and tell me it's ready
Run a full security review of our Power Pages site. Check the live site, browser security headers, firewall, authentication, and role-based permissions, then generate an HTML report for release readiness.
An HTML security review report summarizing findings, risks, and remediation recommendations.
I am developing a Power Pages portal. Review the current access controls and security configuration, verify authentication, role permissions, and protection settings, and provide a complete report.
An HTML report highlighting misconfigurations, permission risks, and security gaps for development-stage fixes.
Perform a security check on this Power Pages site, assess whether it is currently safe, and monitor risks across the live surface, headers, firewall, and sign-in settings.
A security report for ongoing reviews that summarizes current status, potential risks, and next-step recommendations.
Plugin check: Run
node "${CLAUDE_PLUGIN_ROOT}/scripts/check-version.js"— if it outputs a message, show it to the user before proceeding.
Guide the user through a full security review of their Power Pages site. Runs the matching focused skills and assembles every finding into a single HTML report.
The skill never asks the user technical questions. The conversation stays in plain language.
Initial request: $ARGUMENTS
The skill has six phases. Phases 2–5 each map to one conversation beat with the user; phases 1 and 6 are silent setup and cleanup. See references/flow.md for the rationale behind each beat.
| Phase | What happens | User-facing beat |
|---|---|---|
| 1 — Prerequisites | Locate project, set up working folders | (silent setup) |
| 2 — Scope | Capture goal — one question, three answers, plain language | Ask the goal |
| 3 — Skills | Run the matching skills, surface progress | Scan in progress |
| 4 — Report | Build the consolidated report — totals + per-section findings | Results summary + Findings |
| 5 — Present | Present results, offer remediation follow-ups | Next steps and guidance |
| 6 — Cleanup | Remove temporary files | (silent cleanup) |
Create tasks in three groups. Mark each in_progress when starting, completed when done.
Group 1 — create at the start of prerequisites:
| Task subject | activeForm |
|---|---|
| Check prerequisites | Checking prerequisites |
Only this one task. Do not create any other tasks until prerequisites complete.
Group 2 — create after prerequisites complete:
| Task subject | activeForm |
|---|---|
| Capture goal | Capturing goal |
Group 3 — create after the goal is captured:
| Task subject | activeForm |
|---|---|
| Run skills | Running checks |
| Build the report | Building the report |
| Present findings | Presenting findings |
| Clean up | Cleaning up |
Use Glob to find **/powerpages.config.json. If none is found, tell the user the site needs to be created first with /create-site, then stop.
For the monitor and release goals (any goal that delegates to scan-site or manage-firewall), also confirm that .powerpages-site/website.yml exists. If it does not, the site has not been deployed yet — tell the user (in plain language) the site needs to be deployed once before a live security review can run, recommend /deploy-site, then stop. Do not try to identify the site by name or URL — different sites can share the same name.
For the access-config goal, the deploy check is not required: authentication, web roles, and table permissions are read from local YAML alone.
Create a fresh working directory: <SYSTEM_TEMP>/security-review/. The folder holds JSON data files emitted by each skill in review mode. The folder is removed in the cleanup step.
If the folder already exists from a previous interrupted run, delete its contents (not the folder itself) before continuing.
The final HTML always lives at <PROJECT_ROOT>/docs/security-review-<YYYY-MM-DD-HHMMSS>.html using the local timestamp at the start of the run (e.g. security-review-2026-05-14-053805.html). Always include the timestamp — do not use a bare security-review.html name. This keeps each run's report distinct.
Ask the user with a single AskUserQuestion call. If the user's initial request already answers it, skip and continue.
Question — What to review?
| Label | Description |
|---|---|
| Access & config | Check authentication, web roles, and table permissions. Works on local files only. |
| Release readiness | Full review before publishing — checks everything. (Recommended) |
…
Review and fix Power Pages security headers, CSP, CORS, cookies, and embedding settings.
Test deployed Power Pages sites with browsing, crawling, and API verification.
Add a data source or connector to a Power Apps code app.
Add Azure DevOps to Power Apps for work items, bugs, pipelines, and API calls.
Add the Excel Online connector to read and write workbook data.
Set up Power Platform Pipelines for automated Power Pages deployments.
Audit Power Pages table permissions and get prioritized security findings with fixes.
Review security risks for auth, inputs, secrets, APIs, and sensitive features.
Inspect and configure WAF protection for a Power Pages production site.
Review architecture or code for security risks, vulnerabilities, and compliance issues.
Run website health audits for security, performance, email setup, and link issues.
Review repositories in natural language for security, performance, and code quality issues