Open-sourcing a Website Security Scanning Skill: yao-websecurity-skill. It is known that at least three listed companies have deployed GEOFlow, and many friends are using this system for various secondary developments, including commercial SaaS versions. Therefore, its security issues need to be taken seriously. Additionally, during the development of many open-source projects, security issues are easily overlooked. Hence, this Skill for website security review was created.

Design steps:

1. Used GTP-5.5 Pro to help me organize the current mainstream security vulnerability types. A total of 275 common and high-value inspection items were researched and compiled. This report is also open-sourced and shared.
2. Used yao-meta-skill to build the first version of the security review Skill based on the analysis report of these 275 security vulnerability types.
3. Multiple iterations added: multiple security review modes, strategies and processes such as automatically copying and creating a temporary environment during scanning.

Basic logic:

1. Built-in 275 website safety check items, covering authentication and authorization, API privilege escalation, SSRF, XSS, file upload, supply chain, container deployment, database, Redis, WebSocket, AI/RAG, and other areas.
2. Supports multiple review modes: static review, low-level dynamic check, authorized dynamic review. Priority defaults to security without destruction, code modification, or touching production data.
3. All local projects and GitHub repositories first enter a brand new temporary directory and temporary runtime environment to avoid contaminating the original project.
4. Automatically generates a security score sheet and a complete report, outputting security reports in four formats.

In the past two days, I performed a security scan on my own system and indeed found many security risks. With this report, AI can then perform more targeted security risk fixes.

Skill’s GitHub repository: https://github.com/yaojingang/yao-open-skills/tree/main/skills/yao-websecurity-skill…
Example report: https://github.com/yaojingang/yao-open-skills/tree/main/skills/yao-websecurity-skill/examples/fictional-starbridge-audit…
275 common security vulnerability type report: https://github.com/yaojingang/yao-open-skills/tree/main/skills/yao-websecurity-skill/references…

yaojingang/yao-open-skills

Source: https://github.com/yaojingang/yao-open-skills

Yao Open Skills

A curated collection of production-ready AI skills for research, decision, business, learning, and document generation

OpenYao continues the method line of YAO = Yielding AI Outcomes. The focus is not on piling up more prompt text, but on precipitating effective methods, processes, evaluations, aesthetic constraints, and execution boundaries into reusable AI assets, ultimately producing real, deliverable results.

Yao Open Skills is a growing collection of AI-native skills designed for real-world work: turning uncertain decisions into reports, turning business questions into structured analysis, and turning topics or reference packets into polished tutorial documents.

This directory serves two purposes at the same time:

• As a local workspace for the GitHub open-source collection.
• As a local sync management center, recording which Skill has been included in the collection, its current publication status, and whether the documentation page has been updated.
• As a release entry point for subsequent version iterations, pushing to GitHub after each confirmed update.

Navigation

• OpenYao Philosophy
• Recommended Entry Points
• Published Skill Guides
• Featured Published Skills
• Skill Catalog
• Publishing Rules
• Naming Conventions
• Repository Design

OpenYao Philosophy

yao-open-skills aims to publicly share not a “collection of scattered prompts” but a more stable AI asset perspective:

• Skills should serve real task outcomes, not just the conversation process.
• Skills should be reusable, maintainable, and evaluable, not one-time tricks.
• Skills should be able to precipitate into team assets, not remain in personal memory and chat logs.
• An open-source collection should emphasize method quality, clear boundaries, and continuous evolution, not quantity.

In other words, OpenYao pushes the YAO methodology one step further into a public knowledge base: making those skills worth sharing not only exist locally but become a discoverable, citable, improvable, and reusable collection of public capabilities.

Featured Skill Lines

This section showcases the capability lines that the OpenYao plans to build long-term, aiming to remain “function-oriented + verb-like” in style to avoid a scattered naming system.

Skill Doctor – Diagnose and fix issues in skills automatically.
Skill Optimizer – Improve performance, structure, and effectiveness.
Skill Ranker – Evaluate and rank skills based on real impact.

These names represent product directions; they do not mean they are all already included as independent Skills in the repository. The current repository distinguishes between “published capabilities” and “planned capability lines.”

Recommended Entry Points

If you want to understand the meta-methodology behind OpenYao, first look at yao-meta-skill (https://github.com/yaojingang/yao-meta-skill).
This is the meta-skill project within the YAO method line, used to further precipitate workflows, prompts, notes, and execution experience into Skill assets that can be created, evaluated, governed, and packaged.

The relationship between these two repositories can be simply understood as:

• yao-meta-skill (https://github.com/yaojingang/yao-meta-skill): Defines how to systematically create, evaluate, govern, and package Skills.
• yao-open-skills (https://github.com/yaojingang/yao-open-skills): Includes those Skill achievements already worth sharing publicly.

If you think of yao-meta-skill as a “meta-method engine,” then yao-open-skills is more like a “public product showcase layer.”

Repository Goals

• Organize scattered local Skills into a stable public collection.
• Keep clear sources, inclusion paths, sync status, and license information for each public Skill.
• Screen Skills with unified rules to avoid pushing private data, output products, and experimental junk into the public repository.
• Allow truly valuable Skills under the YAO methodology to form a continuously evolving public asset library.

Public Inclusion Criteria

• Clear topic: others can see the Skill name and description to know what problem it solves.
• Reusable: does not rely on private context on your personal computer to run.
• Cleanable: can remove sensitive information, caches, output items, account traces, and internal documents.
• Maintainable: you are willing to continue fixing, iterating, and explaining it.

Detailed rules found in:

• docs/repository-design.md
• docs/naming-conventions.md
• docs/publishing-rules.md

Directory Structure

yao-open-skills/
├── README.md
├── docs/
├── registry/
├── scripts/
└── skills/

• docs/: Repository design, publishing rules, sync specifications.
• registry/: Skill registration table, the source of truth for local and public status.
• scripts/: Auxiliary scripts for updating the registration table and README.
• skills/: Copies of Skills actually included in the public collection.

Planned Capability Families

To make this repository feel like an ecosystem rather than a miscellaneous pile, two capability family directories are pre-reserved:

• skills/skill-builder/
• skills/skill-analyzer/ They are currently only placeholder directories to constrain future expansion directions.

Published Skill Guides

• Skill Guides Index
• Yao Open Skills Sync
• Skill Doctor
• Yao Bayesian Skill
• Yao Business Skill
• Yao Game Theory Skill
• Yao Kelly Skill
• Yao Tutorial Skill
• Yao Websecurity Skill

Featured Published Skills

Yao Websecurity Skill

yao-websecurity-skill is a security review Skill for authorized websites, SaaS, APIs, AI applications, local code directories, and GitHub repositories.

It is not a simple scanner call. Instead, it first understands the system code, routes, authentication, data models, deployment configurations, dependencies, and AI/LLM integrations, then filters truly relevant check items from the V001-V275 vulnerability ontology, and finally outputs a verifiable security score table and review report.

The public version now features these outstanding characteristics:

• Built-in 275 website security check items covering access control, authentication sessions, API, XSS, CSRF, SSRF, file upload, dependencies, containers, CI/CD, database, cache, AI/RAG/LLM and other risk domains.
• Supports multiple review modes: static, dynamic-safe, dynamic-active, online-authorized, and hybrid.
• Local code and GitHub repositories must be copied or cloned to a brand new temporary directory; building, running, testing, and report generation are all done within an isolated workspace.
• Dynamic active testing is controlled by an authorization switch; blind SSRF/OOB, brute force, file changes, database writes, and resource stress tests are only allowed in isolated temporary deployments by default.
• Reports default to Chinese, outputting Excel + HTML + Markdown + PDF + sanitized JSON.
• HTML supports Chinese/English toggle and sticky top navigation; Excel uses Chinese status, Chinese explanations, and an engineering-friendly scoring table.
• Before rendering, local absolute paths, cookies, Bearer Tokens, API Keys, passwords, private keys, and long token-like strings are cleaned.

If you want to quickly understand this Skill, follow this order:

1. Public documentation
2. Skill entry
3. Directory description
4. Review modes
5. Report contract
6. Vulnerability ontology
7. Report script
8. Fictional example report

Yao Tutorial Skill

yao-tutorial-skill is a production-oriented Skill that goes “from topic or material package to complete tutorial finished product.”

It does not simply help you write an explanatory text but organizes the input topic, user-provided materials, authoritative sources, papers, GitHub practices, and case evidence into a deliverable tutorial package: first normalize requirements, then conduct research and evidence gathering, then generate a beginner-friendly chapter outline, and finally output a Markdown + Word + PDF + HTML with images.

The public version now features these outstanding characteristics:

• Supports inputting just a topic or a set of materials, links, papers, repositories, or drafts.
• Prioritizes user-provided materials; supplements with external authoritative sources when insufficient.
• Written for beginners; titles convey user benefits, outlines speak in plain language, chapter structures are accessible and actionable.
• Public finished products do not display internal evidence markers like [U1] or [X1], nor do they write “compiled from original text.”
• Each chapter must have a corresponding visual illustration.
• Illustrations are first generated as HTML canvases, then screenshotted and embedded into the tutorial content.
• HTML reports support centered content container, left-side table of contents, date, chapter jumps, and clean reading layout.
• Word/PDF by default remove headers and footers to avoid export paths, page numbers, and browser print information interfering with reading.
• Built-in validation script checks chapters, illustrations, references, export files, and local path leaks.

If you want to quickly understand this Skill, follow this order:

1. Public documentation
2. Skill entry
3. Input adaptation rules
4. Tutorial writing rules
5. Visual canvas rules
6. Export and validation script

Yao Bayesian Skill

yao-bayesian-skill is currently the most complete “evidence-to-action” type Skill in the public collection.

Its focus is not to explain Bayes’ theorem but to compress a real-world uncertain problem into an executable, reviewable, and continuously iterable decision process.

The public version now features these outstanding characteristics:

• Supports starting from incomplete input, first giving a weak prior and preliminary judgment.
• Supports multi-turn follow-up, continuously updating prior, posterior, and decision readiness.
• Built-in Bayesian prior check, selecting 3 to 5 most relevant items from 20 life judgment principles for this session.
• Records which information changed judgments in each round of conversation.
• Report first presents a readable conclusion for ordinary users, then shows technical details.
• Default generates Markdown + bilingual HTML.
• HTML supports Chinese/English toggle, sticky navigation, printing, and direct storage as PDF in the browser.

If you want to quickly understand this Skill, follow this order:

1. Public documentation
2. Skill entry
3. Detailed case input
4. Export script
5. Example report directory

Yao Game Theory Skill

yao-gametheory-skill is a game theory strategic report Skill designed for competition, negotiation, alliances, channels, platforms, and competitive counterattacks.

It suits all scenarios where “our actions will trigger opponent reactions”: price wars, channel conflicts, competitive counterattacks, platform ecosystems, financing negotiations, M&A bidding, market entry, alliance cooperation, and regulatory communication.

It does not stack game theory as textbook concepts but translates the CEO’s question into players, strategies, payoffs, timing, signals, commitments, and equilibrium checks, focusing on:

• How the opponent might react.
• Whether our commitment actions are credible.
• Which strategy remains more stable after the opponent’s reaction.

Its design principle is: first identify players, strategies, payoffs, constraints, and action timing, then route to appropriate game theory framework combinations, and finally convert the model into a strategic report directly usable by management.

The public version now features these outstanding characteristics:

• Built-in framework catalog and AI application router covering Nash equilibrium, Prisoner’s Dilemma, Zero-sum, Coordination, Hawk-Dove, Stag Hunt, Entry Deterrence, Stackelberg, Bertrand/Cournot, Signaling, Repeated Games, Auctions, Alliances, and Mechanism Design.
• Combines frameworks based on scenarios, not mechanically applying concepts; e.g., price wars combine Bertrand, Prisoner’s Dilemma, Repeated Games, and credible commitments.
• Added a real historical behavior correction layer that adjusts opponent rationality probability using past threat fulfillment rates, free version investment, channel attack history, and experiential references to avoid overestimating opponent time consistency.
• Supports starting from incomplete strategic input, first building an updateable weak model.
• Has clear routing for price wars, channel conflicts, platform ecosystems, M&A bidding, financing negotiations, competitor free versions, and regulatory communication.
• Report front-loads recommended actions, opponent reaction map, payoff matrix, historical behavior correction, commitment credibility, strategy readiness, and sensitivity checks.
• Supports incorporating subsequent opponent actions into the original case and rerunning the report.
• Default generates Markdown + HTML + Word + PDF + canonical JSON.
• Word/PDF wide tables have been processed with landscape pages, real tables, fixed width, and safe line breaks.

If you want to quickly understand this Skill, follow this order:

1. Directory description
2. Public documentation
3. Skill entry
4. Framework catalog and AI router
5. Price war example input
6. Export script
7. Example report directory

Workflow

1. You provide a local Skill path.
2. According to the rules, determine whether this Skill is suitable for public release.
3. After cleaning sensitive files and irrelevant products, copy it to skills/<skill-name>/.
4. Write or update the registration information in registry/skills.json.
5. Run the README rendering script to refresh the collection description page.
6. If you want to publish, push the repository to GitHub’s yao-open-skills.

GitHub Publishing Conventions

• The GitHub repository name is fixed as yao-open-skills.
• After the local collection has changed, first update registry/skills.json and README, then perform Git commit and push.
• Only after actual push is completed can the relevant Skill be marked as published and have last_synced_at recorded.
• If the local source Skill later changes but GitHub hasn’t been updated, the corresponding record should be marked as needs-update.

Locally Managing Skills

This repository includes a built-in management Skill:

• skills/yao-open-skills-sync/SKILL.md

Its responsibilities are:

• Receive a local Skill path you provide.
• Determine if it is suitable for public release.
• Import it into yao-open-skills according to collection rules.
• Maintain the registration table and the README catalog page.
• Record whether this Skill has been synced to GitHub and its online corresponding path.

Skill Catalog

Subsequent Conventions

• registry/skills.json is the source of truth.
• The catalog table in README is generated by script, not manually maintained.
• Any newly included Skill must first pass the publishing rules, then update the registration table and README.
• Any change intended for public release should be pushed to the GitHub remote repository after completion.