tbs-scenario-builder
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly coherent for building TBS training scenarios, but it can create TBS admin master-data records before the user's final confirmation.
Before installing, confirm you trust the TBS target environment, the cms-auth-skills dependency, and the local scripts. Ask the agent to use dry-run preflight first, and require explicit approval before any TBS POST or production write.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
TBS business-domain, department, or drug records could be created even if the user later cancels the final scenario write.
The preflight stage is explicitly before final user confirmation, but it can still perform authenticated POST creates for TBS master data.
在 **`validate-and-gate` 通过之后、用户确认 `persist-and-execute` 之前**... 不存在则 **`POST` 创建**(除非 `--dry-run`)
Make preflight default to dry-run, require explicit user approval before any POST, and show the target environment and records that will be created.
A token with broad TBS admin rights could create or modify business data if used in the wrong environment.
The skill relies on an access token to call TBS admin APIs; this is expected for the purpose but grants sensitive account authority.
`access-token`:执行前须设置 `XG_USER_TOKEN`... 实际 HTTP 目标为 `TBS_BASE_URL`
Use the least-privileged token available, verify TBS_BASE_URL before running, and avoid production credentials until the workflow is tested.
Installing the dependency could replace or add auth-related skill code that handles credentials.
The skill may install an external auth helper with --force; this is disclosed and purpose-aligned, but it changes the agent environment and involves unreviewed dependency code.
如果未安装,先执行 `npx clawhub@latest install cms-auth-skills --force`... `npx clawhub@latest install https://github.com/spzwin/cms-auth-skills.git --force`
Review and install cms-auth-skills manually from a trusted source before using this skill, and avoid --force unless you intend to overwrite existing installs.
Running the skill can execute local Python code and write files as part of the TBS persistence workflow.
The skill intentionally writes a draft file and runs a local executor script; this is central to the stated purpose but has real side effects.
将草稿写入 `scripts/tbs_assets/scenario_draft.json`(或可覆盖 `draftPath`)并子进程执行 `scripts/scene/tbs_write_executor.py`(真实副作用)
Run it only in a controlled workspace, keep the default draft path unless necessary, and review the executor before production use.