A Simple and Universal Product Rehearsal Engine, Speccing Anything. 简洁通用的产品推演引擎,推演万物。
# Add to your Claude Code skills
git clone https://github.com/xiaojilele-glitch/WhyBuddyLast scanned: 5/30/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@chevrotain/cst-dts-gen: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@chevrotain/gast: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@mermaid-js/parser: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@protobufjs/utf8: protobufjs has overlong UTF-8 decoding",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@xmldom/xmldom: xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion",
"severity": "high"
},
{
"type": "npm-audit",
"message": "axios: Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF",
"severity": "high"
},
{
"type": "npm-audit",
"message": "body-parser: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "chevrotain: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "dockerode: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "dompurify: DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "engine.io: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "engine.io-client: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "esbuild: esbuild enables any website to send any requests to the development server and read the response",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "express: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "follow-redirects: follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "langium: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "lodash: lodash vulnerable to Code Injection via `_.template` imports key names",
"severity": "high"
},
{
"type": "npm-audit",
"message": "lodash-es: Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
"severity": "high"
},
{
"type": "npm-audit",
"message": "mermaid: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "path-to-regexp: path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters",
"severity": "high"
},
{
"type": "npm-audit",
"message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "protobufjs: Arbitrary code execution in protobufjs",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "qs: qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "socket.io-adapter: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "uuid: uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "vite: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
"severity": "high"
},
{
"type": "npm-audit",
"message": "vite-node: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "vitest: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "ws: ws: Uninitialized memory disclosure",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "xlsx: Prototype Pollution in sheetJS",
"severity": "high"
}
],
"status": "FAILED",
"scannedAt": "2026-05-30T15:15:18.985Z",
"npmAuditRan": true,
"pipAuditRan": true
}WhyBuddy is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by xiaojilele-glitch. A Simple and Universal Product Rehearsal Engine, Speccing Anything. 简洁通用的产品推演引擎,推演万物。. It has 350 GitHub stars.
WhyBuddy failed SkillsLLM's automated security scan, which flagged one or more high-severity issues. Review the Security Report section carefully before using it.
Clone the repository with "git clone https://github.com/xiaojilele-glitch/WhyBuddy" and add it to your Claude Code skills directory (see the Installation section above).
WhyBuddy is primarily written in TypeScript. It is open-source under xiaojilele-glitch on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh WhyBuddy against similar tools.
No comments yet. Be the first to share your thoughts!
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
You enter one sentence. The system rehearses a complete product plan for you.
Spec documents · System architecture · Route planning · Prompt pack · Effect preview
Fully visible. Fully exportable. Fully backed by an evidence trail.
You spend days writing a PRD, weeks aligning the team, and months before you know whether the direction is right.
Enter an idea → one coffee's worth of real LLM deliberation, every step visible → full rehearsal → decide whether it is worth building → if not, move to the next idea.
A consolidated 16-screen photo wall from SlideRule example rehearsals.
Watch the Full Rehearsal Demo
TRAE SOLO-based product rehearsal automation: from a one-sentence idea to executable specs.
Click the video cover above to open the Bilibili demo.
The rehearsed model is no longer just diagrams — the browser renders it into an operable system, ECharts-style: the five-system JSON is the schema, zero backend, zero database.
| Restyled studio — brand sidebar, system pills, guided examples | Linkage graph — five grouped systems, every member expanded, semantic-colored cross-references |
| Live workflow — role-colored nodes, condition edges; running instances light up their current node in real time | Run the app — Ant Design Pro shell rendered from the model: dashboard charts, tables, forms, approval submissions |
What you can actually do after a topic closes (all state lives in the browser, per-session):
LLM_GENERATE_DISABLED / LLM_GENERATE_FAILED).5-minute demo script: npm run dev:all → send “做一个连锁健身房管理系统…” → watch the live LLM stream close 6/6 → AppBundle ▸ 联动图 for the full cross-system picture → 运行应用, create a record, submit for approval, switch to the phone frame → Workflow ▸ 试运行, approve a step and watch the diagram highlight move → 交付物 ▸ export, find the snapshot appendix at the bottom.
sliderule Skill Package (Portable · Embeddable in Any Agent)Besides the full app, SlideRule also ships a self-contained Skill package that can be dropped into Trae, Claude, or any host that supports Agent Skills. One sentence in → a reviewable, deliverable spec package out, with every gate actually run by scripts instead of merely claimed by the model.
Guarantee the floor, not the ceiling. Deterministic scripts guarantee the floor — valid structure, success criteria covered by requirements, EARS acceptance, cited evidence, gate results logged, every artifact provenance-labeled. They do not promise the ceiling; real depth still needs a real repo and a human. Everything it generates is labeled with how much you can trust it.
The ready-to-import Skill archive is included at skills/sliderule.zip. Unzip it, then drop the resulting sliderule/ folder into your agent host's skills directory (Trae: Skills · Claude: skill). See skills/README.md for the exact directory layout.
# 1. From th