Back to skill
Skillv1.0.3
ClawScan security
cms-tbs-scene-created · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 10:42 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requirements are consistent with its stated purpose of orchestrating TBS scene creation; nothing requests unrelated credentials or installs arbitrary code from external URLs.
- Guidance
- This skill appears coherent: it orchestrates a multi-step scene-creation flow using the included Python scripts and requires a TBS access-token to talk to TBS APIs. Before installing/using it: 1) Verify you trust the cms-auth-skills provider (it supplies the token). 2) Confirm the default TBS_BASE_URL is correct for your environment or always pass the --base-url you want. 3) Be aware the scripts will call remote APIs and can create remote resources (personas, scenes) — test in a non-production environment first if possible. 4) The skill's rules forbid exposing internal IDs to users; ensure the agent implementation enforces those output constraints.
Review Dimensions
- Purpose & Capability
- okName/description assert end-to-end TBS scene creation. The repo provides three scripts (fetch-config, validate, create) and reference docs that are directly relevant. Declared dependency on cms-auth-skills matches the requirement to obtain an access-token. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- okSKILL.md explicitly confines actions to Step1–Step4 orchestration, calling the included Python scripts and the cms-auth-skills dependency for tokens. The scripts only call the TBS APIs (base_url configurable) and local validation routines; the docs forbid exposing internal IDs to users and require specific validation gates. There are no instructions to read unrelated host files or to transmit data to unexpected endpoints.
- Install Mechanism
- okNo install spec; this is instruction+script based and relies on python3 being available. No network downloads or archive extraction are performed at install time. Scripts are bundled in the skill (no external code fetched).
- Credentials
- noteThe skill requires a TBS access-token to call TBS endpoints; SKILL.md declares the dependency on cms-auth-skills and forbids reading the token from environment variables. Other environment variables (TBS_BASE_URL, timeout, retries) are optional and proportional. Note: the scripts default to a specific base URL if not overridden — ensure this default is appropriate for your environment before running.
- Persistence & Privilege
- okalways:false and no claims to modify other skills or system-wide settings. The scripts perform API operations that create server-side resources (e.g., rolePersona, scene creation) which is consistent with the skill's purpose, but they do change remote state on the TBS system as part of normal operation.