aicreat
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is instruction-only and purpose-aligned, but it can create persistent NocoBase chatbots with database, form, workflow, and page-integration authority without clear approval or permission boundaries.
Install only if you trust the NocoBase environment and intend the agent to manage AI employees. Before using it, confirm exactly which AI employee, page, table, and workflow each action affects; avoid broad database access; and require manual approval for create, update, delete, shortcut, button, and workflow-related changes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could alter NocoBase AI employee configuration or page UI elements if invoked with these tools, potentially affecting other users of the application.
The skill exposes tools that can create, update, delete, and attach AI employees to NocoBase pages. The artifact does not specify approval gates, dry-run behavior, target validation, or rollback before persistent or destructive changes.
tools:\n - nb_create_ai_employee\n - nb_list_ai_employees\n - nb_get_ai_employee\n - nb_update_ai_employee\n - nb_delete_ai_employee\n - nb_ai_shortcut\n - nb_ai_button
Require explicit user confirmation before create, update, delete, shortcut, or button changes; show the target username/page/block ID and resulting configuration before applying it.
A created AI employee may be able to query business data, inspect schema, fill forms, or call workflows beyond what the user intended if NocoBase permissions are not tightly configured.
The skill recommends binding AI employees to database query/counting, form-filling, and workflow tools, with several set to autoCall. The artifact only recommends listing data scope in prompts and does not show enforced role, table, or workflow permission limits.
| `dataSource-dataSourceQuery` | Query database | true |\n| `dataSource-dataSourceCounting` | Count records | true |\n| `frontend-formFiller` | Auto-fill forms | true |\n| `workflowCaller-<key>` | Custom workflow tool | false |
Bind only the minimum required tools, enforce permissions in NocoBase roles or tool implementations, avoid autoCall for sensitive tools unless necessary, and explicitly document allowed tables and workflows.
Incorrect or overly broad prompts may persist and continue guiding the AI employee after the initial setup.
The skill creates persistent AI employee system prompts and behavior rules. This is expected for the purpose, but those stored instructions can influence future interactions.
- **about**: System prompt defining role, data scope, and behavior\n...\n"Full system prompt with role, data scope, behavior rules..."
Review stored prompts before saving, avoid including secrets, and keep versioned records so prompt changes can be audited or rolled back.
Created assistants may continue to be visible and usable on NocoBase pages by future users until removed or disabled.
The skill is meant to create long-lived chatbot assistants and expose them through page UI integrations. This persistence is disclosed and purpose-aligned, but users should recognize that the assistants remain available after creation.
AI employees appear on pages in two ways:\n1. **Floating Avatar** ...\n2. **Action Bar Button** ...
Keep an inventory of created AI employees, restrict who can access them, and remove or disable shortcuts/buttons when they are no longer needed.