cms-tbs-scene-create
v0.6.0提供【TBS场景创建】全流程执行能力。用户一旦表达“创建TBS场景/建训练场景/把业务背景转成可创建场景/确认后创建场景”等执行意图,必须进入本 Skill 的结构化解析与脚本调用流程;仅当用户明确是纯咨询时,才允许先文字说明并二次确认是否执行。本 Skill 通过依赖 `cms-auth-skills` 获取...
⭐ 0· 48·0 current·0 all-time
by@spzwin
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the included artifacts: SKILL.md documents a TBS scene creation flow and the bundle contains parse/validate/create scripts plus a TBS client library. Declared dependency on cms-auth-skills to obtain an access token is coherent with the code which requires --access-token. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
Runtime instructions limit actions to reading local references/prompts and executing the provided scripts; SKILL.md explicitly requires reading references/auth.md and explicit user confirmation before invoking the create script. The scripts read and write draft JSON files (draftPath), and perform network calls to the TBS Admin API. This scope is expected for a create workflow, but note the code will persist results to disk and can perform entity creation (resolve_or_create_*) as part of resolution/creation steps—so only run with correct user confirmation and trusted inputs.
Install Mechanism
There is no external install spec (instruction-only), which minimizes supply-chain risk. However, the skill bundle includes multiple Python modules that will be executed by the agent when invoked. No third-party packages are fetched at install time, but the code uses the 'requests' library at runtime (ensure it is available). No downloads from arbitrary URLs are present.
Credentials
The skill does not request environment variables or unrelated credentials. It requires an access token passed to the scripts (SKILL.md declares dependency on cms-auth-skills to supply 'access-token'), which is proportional to calling the TBS Admin API. No additional secrets or unrelated config paths are requested.
Persistence & Privilege
always is false and the skill is user-invocable (normal). Scripts write/overwrite a provided draftPath and create parent directories (persist_result). The skill does not appear to modify other skills or global agent settings. Be aware that it will create/update entities in the remote TBS service when run with a valid token.
Assessment
This skill appears internally consistent for creating TBS scenes, but review before using in production: (1) The scripts perform network requests to the default base_url and will create or update entities in the remote TBS service—only run when the user has explicitly confirmed creation. (2) The client disables TLS verification (requests.verify=False) which weakens transport security and can expose tokens to interception — consider running in a trusted network or patching the code to enable certificate verification. (3) The code logs/raises errors including request bodies and snippets of responses; avoid passing highly sensitive data in params or ensure logs are protected. (4) Confirm cms-auth-skills you use supplies a least-privilege access-token and test the skill in a staging environment first. If you want higher assurance, provide the omitted files for review (some files were truncated/omitted in the package listing) and consider enabling request verification or limiting network access to the known TBS endpoint.Like a lobster shell, security has layers — review code before you run it.
latest
cms-tbs-scene-create
核心定位
本 Skill 只做一件事:根据用户执行意图,读取对应 references/*.md 与 prompts/*.json,再执行 scripts/*.py。
参数、边界、分支逻辑都以 references 为准,SKILL.md 只负责入口和流程约束。
强制前置
真实创建前须经 cms-auth-skills 取 token,并以 --access-token 注入 tbs-scene-create.py。细则见 references/auth.md。
标准执行流程(必须遵循)
- 识别用户是“执行动作”还是“纯咨询”。
- 若是纯咨询:先提供说明性答复,并明确询问是否进入创建执行;在用户未明确要求执行前,不进入脚本调用链路。
- 若是执行动作:先定位目标脚本。
- 先读取
references/auth.md,确保access-token与--base-url环境一致(未读不得进入真实创建链路)。 - 再读取该脚本对应的
references/*.md(及本阶段要求的prompts/*.json),未读不得执行。 - 按文档组装参数并执行
python3 scripts/<name>.py。 - 如一轮调用多个脚本,每个脚本的 reference 都要先读再执行。
内部编排与门禁(要点)
| 环节 | 看什么 |
|---|---|
| 通用 | success / error |
| parse | stage、missingFields、parseMeta、userOutputTemplate;拒补丁时 patch_fields_locked + rejectedFields |
| validate | validationReport.scope(FULL|TBV)、passed、blockingIssues、warningIssues;TBV 另有 tbvReport |
草稿 meta | lastFullValidationPassed、lastTbvPassed(validate 写入;create 与入参 meta 合并) |
| create | userConfirmation + 上表校验与 meta 组合;结果里 sceneId 等 |
串联:parse →(可选 S3)→ validate → create。success=true 不等于可进下一步。
- parse:
baseInfoAcknowledged后禁止补丁改基础六字段;已进入READY_FOR_SCENE_GENERATION/READY_FOR_VALIDATE后,补丁仅title、sceneBackground、background。 - PRE:用
parseMeta/changeSummaryLines口述摘要;skipScenarioGenerationSuggested=true仍须 TBV + PRE,不得跳过校验。 - validate:默认全量
FULL;仅改标题/背景后用TBV。写draftPath时合并原 JSON,勿丢parseResult。 - create:
确认+ (A)scope缺省或FULL且passed,或 (B)TBV且passed且meta.lastFullValidationPassed=true。 - 失败(非用户取消):先处理
error再重试或回退。
用户可见回复
话术模板与阶段开场:references/tbs-scene-parse.md。
禁止播报读文档/跑脚本等内部过程;不向用户贴 JSON。
拦截、校验失败转写、收口:一律见 references/common-params.md(本节不重复)。
常用命令与必读文档
建议先读:references/README.md(总索引与推荐阅读顺序)。
| 脚本 | 必读 reference | 用途 |
|---|---|---|
tbs-scene-parse.py | references/tbs-scene-parse.md | 分阶段确认与门禁编排 |
tbs-scene-validate.py | references/tbs-scene-validate.md | 创建前程序校验 |
tbs-scene-create.py | references/tbs-scene-create.md | 用户确认后真实创建 |
补充:
- 自然语言骨架提取:
references/base-info-parse.md+prompts/base-info-parse.model.schema.json - 场景正文生成:
references/scenario-json-parse.md+prompts/scenario-json-parse.model.schema.json - 复杂编排示例:
references/agent-patterns.md
测试示例(推荐)
示例 1:先做基础信息分阶段解析
# 第一步:先读 references/base-info-parse.md
# 第二步:按 prompts/base-info-parse.model.schema.json 提取骨架并写入 payload.json
# 第三步:执行 parse,判断当前阶段
python3 scripts/tbs-scene-parse.py --params-file payload.json
示例 2:校验(全量 / PATCH 后轻量)
# 先读 references/tbs-scene-validate.md
python3 scripts/tbs-scene-validate.py --params-file draft.json
python3 scripts/tbs-scene-validate.py --params-file draft.json --scope tbv
示例 3:用户确认创建后真实落库
# 第一步:先读 references/tbs-scene-create.md
python3 scripts/tbs-scene-create.py \
--params-file draft.json \
--access-token "<ACCESS_TOKEN>"
反向示例(不要这样做)
- 未获取
access-token就直接执行scripts/tbs-scene-create.py。 - 没读对应
references/*.md就起调脚本。 - 未经过
tbs-scene-validate.py就直接进入创建。 - 用户还没明确回复“确认创建”,就直接调用
/scene/createScene。 - 主数据精确匹配到多条时,擅自猜测业务领域、科室或品种。
- 用户明确“产品知识暂无 / 不提供资料”后,仍重复追问证据状态或强推知识主题。
- 基础信息确认阶段私自扩展结构化字段(如“关键决策者/利好背景/场景氛围”)并向用户展示,导致确认清单超出脚本门禁字段。
- 产品知识与资料确认阶段把问题拆成多轮反复追问(应优先引导用户一次性回复:主题 + 证据状态 + 证据来源)。
错误处理与通用参数
通用错误格式、--params-file 用法、输入文件规则请查看 references/common-params.md。
目录结构
cms-tbs-scene-create/
├── SKILL.md
├── version.json
├── prompts/
│ ├── base-info-parse.model.schema.json
│ ├── scenario-json-parse.model.schema.json
│ └── scene.schema.json
├── scripts/
│ ├── README.md
│ ├── tbs_client.py
│ ├── tbs_md_sanitize.py
│ ├── tbs-scene-parse.py
│ ├── tbs-scene-validate.py
│ └── tbs-scene-create.py
└── references/
├── README.md
├── auth.md
├── base-info-parse.md
├── tbs-scene-parse.md
├── tbs-scene-validate.md
├── tbs-scene-create.md
├── scenario-json-parse.md
├── common-params.md
├── agent-patterns.md
├── maintenance.md
└── requirements-sync-checklist.md
Comments
Loading comments...