Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
tbs-scenario-builder
v1.3.0编排并执行训练场景(TBS)创建流程:意图路由、字段解析与追问、发布级骨架、persona/prompts 生成、apiDraft 去重证据、统一校验闸门与确认后落库。**禁止**用浏览器自动化操作 TBS 管理后台;落库仅经脚本 API。
⭐ 0· 101·1 current·1 all-time
by@spzwin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill is a TBS scenario builder and the included scripts legitimately call TBS management APIs to preflight and create records (drugs, departments, scenes). That capability aligns with the description. However the registry metadata declares no required environment variables or primary credential, while SKILL.md and multiple scripts expect an XG_USER_TOKEN, TBS_BASE_URL and optionally other env overrides (e.g., TBS_REQUIRE_KB_API, TBS_KNOWLEDGE_API_PATH). Missing declared credentials is an inconsistency: the skill will need auth to call POST/GET on the TBS backend but the package metadata does not surface this requirement.
Instruction Scope
SKILL.md instructs the agent to run local Python scripts (preflight-tbs-master-data.py, tbs_write_executor.py, persist-and-execute.py, etc.) which perform real side effects: write a draft file under scripts/tbs_assets/ and make HTTP GET/POST calls to the TBS management API (including automatically creating drugs when not found). It also directs installing 'cms-auth-skills' via npx if missing. The instructions explicitly ban browser automation (good), but they do allow running subprocesses and downloading/installing a dependency at runtime — both expand the skill's operational surface. The agent is told not to ask the user for tokens (expects XG_USER_TOKEN), which means credentials must be available in environment or provided by other installed auth skill; this behavior is not reflected in the declared requirements.
Install Mechanism
No formal install spec is present (instruction-only), but SKILL.md instructs runtime installation: first try 'npx clawhub@latest install cms-auth-skills --force', otherwise install from a GitHub URL. Using npx to install dependencies at runtime is a moderate risk vector because it executes remote installation scripts and fetches code from the network. The fallback GitHub URL is traceable but still implies network installs. The skill's own code files are bundled with the package (scripts exist locally), so there is no package manager install required for the skill itself — only for its auth dependency.
Credentials
Although the registry lists no required env vars/credentials, the documentation and scripts require/expect several environment values: XG_USER_TOKEN (used for access-token headers), TBS_BASE_URL (actual HTTP target for GET/POST), and optional overrides such as TBS_REQUIRE_KB_API and TBS_KNOWLEDGE_API_PATH. The skill will read/write local draft files and perform authenticated API calls to external domains (default: https://sg-tbs-manage.mediportal.com.cn). Requesting privileged runtime secrets (access tokens) without declaring them in the metadata is disproportionate and makes it easy for the agent to access credentials unexpectedly.
Persistence & Privilege
The skill does not set always:true and does not declare special platform privileges. It writes files under its own package paths (scripts/tbs_assets/scenario_draft.json / runtime fallbacks) and executes bundled scripts as subprocesses; this is expected for a skill that performs local preflight and remote persistence. It does make authenticated modifications to an external TBS backend (creating records), which is consistent with its purpose but should be treated as an action with real side effects — user confirmation is required by the flow before final persist-and-execute.
What to consider before installing
This skill appears to implement the TBS scenario creation workflow, including preflight checks and actual writing to a remote TBS API — which is consistent with its description — but there are important mismatches you should consider before installing:
1) Missing credential declarations: SKILL.md and scripts expect an access token (XG_USER_TOKEN) and a TBS_BASE_URL, but the package metadata lists no required env vars. Do not install or enable this skill unless you can supply a scoped access token and you understand which token will be used. Prefer giving a least-privilege, audit-friendly token (or a read-only/dry-run token) for testing.
2) Runtime network installs: The skill instructs using 'npx' to install a required auth skill at runtime (and falls back to a GitHub URL). That means code will be fetched and executed from the network. If you plan to run this skill, review the cms-auth-skills source that will be installed and consider pre-installing it in a controlled way rather than allowing the agent to run npx automatically.
3) Side effects: The executor script will call TBS endpoints and can create master data (e.g., POST /basic/drugs) automatically. Use the provided '--dry-run' / preflight mode first and verify behavior in a non-production TBS environment. Insist on explicit user confirmation (the skill requires the exact '确认' token) before any write — but verify the agent enforces that requirement in practice.
4) Audit the code: If you plan to enable this skill in an environment with real data, review the bundled scripts (especially tbs_write_executor.py and tbs_master_data_resolve.py) so you understand exactly which HTTP calls and local writes will occur. Check logging, error handling, and whether tokens are leaked to any unexpected endpoints.
5) Operational controls: Prefer running this skill in a sandbox first; provide minimal-scope credentials; require human confirmation before persist-and-execute; consider network egress controls or allowlisting the TBS_BASE_URL to limit where credentials can be used.
If these points are acceptable and you can review or provide the necessary runtime tokens and test environment, the skill can be used. If you cannot supply a scoped token or review the downstream scripts, treat this package as potentially risky and avoid enabling its automatic execution.Like a lobster shell, security has layers — review code before you run it.
latestvk97abrv5fdh4sdaq7vh2exzy9h84da3y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.