Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cms Tbs Training
v0.80.0TBS训战平台用户端API封装,支持首页聚合、药品场景查询、PPT演讲、训战记录、学习视频、GPTS交互、训练发起等功能
⭐ 0· 29·1 current·1 all-time
by@spzwin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description align with the provided OpenAPI docs and the provided Python scripts; the repository contains matching openapi/ and scripts/ entries for the advertised capabilities. However the published metadata declares no required environment variables or primary credential while the docs and examples clearly rely on dynamic access tokens (access-token) and XG_* environment variables for authenticated endpoints—this is a mismatch that should be reconciled.
Instruction Scope
SKILL.md enforces always executing local Python scripts and explicitly instructs the agent to install a dependency skill (cms-auth-skills) if missing using 'npx clawhub@latest install ...' or a GitHub URL. It also instructs setting environment variables (XG_USER_TOKEN, XG_CORP_ID, XG_EMPLOYEE_ID, XG_PERSON_ID) for core flows. The install-via-npx and fallback-to-GitHub steps are out-of-band operations that fetch/execute external code at runtime and therefore expand the skill's effective scope beyond just calling the TBS APIs.
Install Mechanism
There is no formal install spec, but SKILL.md tells the agent to run 'npx clawhub@latest install cms-auth-skills --force' (and as a fallback install from a GitHub repo). That runtime installation downloads and executes third-party code (npm or a GitHub repo) — a non-trivial risk because the fetched package code may change and is not pinned. The skill's own package does include many Python scripts (so local execution is possible), but the explicit npx/GitHub install step is the highest-risk install behavior present.
Credentials
Skill registry metadata lists no required env vars or credentials, yet examples and docs require exporting tokens (XG_USER_TOKEN, XG_CORP_ID, XG_EMPLOYEE_ID, XG_PERSON_ID) and many API endpoints need an access-token header. The skill also hardcodes an appkey value in documentation. This mismatch (undocumented required secrets) is a material concern: the skill needs authenticated credentials to function for many endpoints but the metadata does not declare them, which can lead to unexpected requests for or handling of secrets at runtime.
Persistence & Privilege
The skill does not request 'always: true' and does not itself assert modifications to system-wide config. However the runtime instruction to install cms-auth-skills via npx/GitHub will modify the agent's skill set (installing a dependency skill) and thus changes the agent environment. This is not necessarily malicious but should be considered a privileged action and reviewed before allowing.
What to consider before installing
What to check before installing/using:
- Confirm provenance of the skill and of the cms-auth-skills dependency. The SKILL.md instructs running 'npx ... install' and has a GitHub fallback—do not run those commands unless you trust both packages/repos.
- Expect to provide dynamic access tokens (access-token / XG_* env vars) to access most endpoints; the skill metadata did not declare these, so plan how tokens will be provided and stored securely (avoid pasting tokens into public logs or shared shells).
- Review the included Python scripts before executing them — they will be run locally and may make network calls to the listed domains (production and a test domain is present in docs). Verify endpoints and the embedded appkey if that matters for your environment.
- Prefer installing the cms-auth-skills dependency from a pinned, audited source (specific version or internal registry) rather than running the unpinned 'latest' npx command or an arbitrary GitHub URL.
- If you cannot audit the dependency or do not trust the source, avoid allowing runtime installation and instead request the maintainer supply a verified bundle or remove the runtime install step.
- Because the skill will interact with authenticated corporate APIs, do not run it on shared/public machines with broad credential access. If you need help assessing the cms-auth-skills repo or the included scripts, get a code review from a trusted developer or security reviewer first.Like a lobster shell, security has layers — review code before you run it.
latestvk979ytrsvh4y2kj02jvg416w9h842a8t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.