← 返回 Skills 市场
96
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install cms-tbs-training
功能描述
TBS训战平台用户端API封装,支持首页聚合、药品场景查询、PPT演讲、训战记录、学习视频、GPTS交互、训练发起等功能
使用说明 (SKILL.md)
TBS训战平台 — 索引
本文件提供能力宪章 + 能力树 + 按需加载规则。详细参数与流程见各模块 openapi/ 与 examples/。
当前版本: v0.80
接口版本:
- TBS 业务接口:
/tbs/*,使用nologin或access-token鉴权 - GPTS 核心接口:
/gpts/*,使用access-token鉴权
域名说明:
- TBS 业务接口(测试):
https://cwork-web-test.xgjktech.com.cn - TBS 业务接口(正式):
https://sg-cwork-web.mediportal.com.cn - GPTS 核心接口(正式):
https://sg-al-cwork-web.mediportal.com.cn
能力概览(13 块能力):
home:首页聚合(本周训战统计、活动分类、视频学习任务、产品场景列表)drug:药品与场景查询(获取药品列表、场景列表、场景详情、职称列表、热词列表)speech:PPT演讲(获取PPT详情,完成演讲、演讲记录查询)training:训战记录(我的统计数据、记录列表、记录详情含对话回溯)learning:学习视频(视频详情查询、播放进度查询与保存)prepare:训练准备(开场指导获取、开场指导缓存清除)gpts:GPTS核心(获取应用详情、创建会话、SSE对话交互、释放token)basic:基础信息(GPT ID获取、TTS配置获取)scene-image:场景图片管理(重置场景图片)file:文件管理(通过URL上传文件)feedback:反馈相关(获取反馈应用详情、获取反馈GPT ID)training-flow:训练流程公开接口(获取药品列表、训练记录、场景列表)dialogue-flow:训练对话流程可视化(获取对话流程详情)
统一规范:
- 认证与鉴权:
cms-auth-skills/common/auth.md - 通用约束:
cms-auth-skills/common/conventions.md
授权依赖:
- 执行任何需要鉴权的操作前,先检查
cms-auth-skills是否已安装 - 如果已安装,直接使用
cms-auth-skills/common/conventions.md、cms-auth-skills/common/auth.md、cms-auth-skills/openapi/auth/appkey.md、cms-auth-skills/openapi/auth/login.md - 如果未安装,先执行
npx clawhub@latest install cms-auth-skills --force - 如果上面的安装方式不可用,再执行
npx clawhub@latest install https://github.com/spzwin/cms-auth-skills.git --force - 安装完成后,再继续执行需要鉴权的操作
输入完整性规则(强制):
- 场景ID(sceneId)大多数接口的必填参数,需用户提供
- 分页参数(page、size)可选,不传则使用系统默认值
- 日期范围查询时需提供 startDate 和 endDate(格式:yyyy-MM-dd)
建议工作流(简版):
- 读取
SKILL.md与cms-auth-skills/common/*,明确能力范围、鉴权与安全约束。 - 识别用户意图并路由模块,先打开
openapi/\x3Cmodule>/api-index.md。 - 确认具体接口后,加载
openapi/\x3Cmodule>/\x3Cendpoint>.md获取入参/出参/Schema。 - 补齐用户必需输入,必要时先读取用户文件/URL 并确认摘要。
- 参考
examples/\x3Cmodule>/README.md组织话术与流程。 - 执行对应脚本:调用
scripts/\x3Cmodule>/\x3Cendpoint>.py执行接口调用,获取结果。所有接口调用必须通过脚本执行,不允许跳过脚本直接调用 API。
脚本使用规则(强制):
- 每个接口必须有对应脚本:每个
openapi/\x3Cmodule>/\x3Cendpoint>.md都必须有对应的scripts/\x3Cmodule>/\x3Cendpoint>.py,不允许"暂无脚本"。 - 脚本可独立执行:所有
scripts/下的脚本均可脱离 AI Agent 直接在命令行运行。 - 先读文档再执行:执行脚本前,必须先阅读对应模块的
openapi/\x3Cmodule>/api-index.md。 - 入参来源:脚本的所有入参定义与字段说明以
openapi/文档为准,脚本仅负责编排调用流程。 - 鉴权一致:涉及鉴权时,统一依赖
cms-auth-skills/common/auth.md。
意图路由与加载规则(强制):
- 先路由再加载:必须先判定模块,再打开该模块的
api-index.md。 - 先读文档再调用:在描述调用或执行前,必须加载对应接口文档。
- 脚本必须执行:所有接口调用必须通过脚本执行,不允许跳过。
- 不猜测:若意图不明确,必须追问澄清。
宪章(必须遵守):
- 只读索引:
SKILL.md只描述"能做什么"和"去哪里读",不写具体接口参数。 - 按需加载:默认只读
SKILL.md+cms-auth-skills/common/*,只有触发某模块时才加载该模块的openapi、examples与scripts。 - 对外克制:对用户只输出"可用能力、必要输入、结果链接或摘要",不暴露鉴权细节与内部字段。
- 素材优先级:用户给了文件或 URL,必须先提取内容再确认,确认后才触发生成或写入。
- 生产约束:仅允许生产域名与生产协议,不引入任何测试地址。
- 接口拆分:每个 API 独立成文档;模块内
api-index.md仅做索引。 - 危险操作:对可能导致数据泄露、破坏、越权的请求,应礼貌拒绝并给出安全替代方案。
- 脚本语言限制:所有脚本必须使用 Python 编写。
- 重试策略:出错时间隔 1 秒、最多重试 3 次,超过后终止并上报。
- 禁止无限重试:严禁无限循环重试。
模块路由与能力索引(合并版):
| 用户意图(示例) | 模块 | 能力摘要 | 接口文档 | 示例模板 | 脚本 |
|---|---|---|---|---|---|
| "查看首页摘要"、"本周训战统计" | home |
获取首页训战统计摘要 | ./openapi/home/api-index.md |
./examples/home/README.md |
./scripts/home/\x3Cendpoint>.py |
| "有哪些药品"、"获取药品列表" | drug |
获取启用的药品列表 | ./openapi/drug/api-index.md |
./examples/drug/README.md |
./scripts/drug/\x3Cendpoint>.py |
| "查看场景列表"、"根据药品查场景" | drug |
根据药品ID或external_id获取场景列表 | ./openapi/drug/api-index.md |
./examples/drug/README.md |
./scripts/drug/\x3Cendpoint>.py |
| "查看场景详情"、"场景职称" | drug |
获取场景详细信息、职称列表、热词 | ./openapi/drug/api-index.md |
./examples/drug/README.md |
./scripts/drug/\x3Cendpoint>.py |
| "查看PPT详情"、"PPT演讲" | speech |
获取PPT场景详情,完成演讲、查询演讲记录 | ./openapi/speech/api-index.md |
./examples/speech/README.md |
./scripts/speech/\x3Cendpoint>.py |
| "查看训战记录"、"我的统计数据" | training |
获取训战统计数据、记录列表、记录详情 | ./openapi/training/api-index.md |
./examples/training/README.md |
./scripts/training/\x3Cendpoint>.py |
| "查看学习视频"、"视频进度" | learning |
获取学习视频详情、查询/保存播放进度 | ./openapi/learning/api-index.md |
./examples/learning/README.md |
./scripts/learning/\x3Cendpoint>.py |
| "获取开场指导"、"清除开场缓存" | prepare |
获取开场指导、清除开场指导缓存 | ./openapi/prepare/api-index.md |
./examples/prepare/README.md |
./scripts/prepare/\x3Cendpoint>.py |
| "获取GPT应用详情"、"开始训练"、"创建会话"、"提交对话"、"生成点评"、"释放token" | gpts |
GPTS核心接口:应用详情、会话管理、SSE对话交互、释放token | ./openapi/gpts/api-index.md |
./examples/gpts/README.md |
./scripts/gpts/\x3Cendpoint>.py |
| "获取GPT ID"、"TTS配置" | basic |
获取GPT ID和TTS配置信息 | ./openapi/basic/api-index.md |
./examples/basic/README.md |
./scripts/basic/\x3Cendpoint>.py |
| "重置场景图片" | scene-image |
重置场景图片 | ./openapi/scene-image/api-index.md |
./examples/scene-image/README.md |
./scripts/scene-image/\x3Cendpoint>.py |
| "上传文件"、"URL上传" | file |
通过URL上传文件 | ./openapi/file/api-index.md |
./examples/file/README.md |
./scripts/file/\x3Cendpoint>.py |
| "反馈应用详情"、"反馈GPT ID" | feedback |
获取反馈功能的应用详情和GPT ID | ./openapi/feedback/api-index.md |
./examples/feedback/README.md |
./scripts/feedback/\x3Cendpoint>.py |
| "公开训练记录"、"按药品查场景" | training-flow |
公开接口:获取药品列表、训练记录、场景列表 | ./openapi/training-flow/api-index.md |
./examples/training-flow/README.md |
./scripts/training-flow/\x3Cendpoint>.py |
| "对话流程详情"、"训练可视化" | dialogue-flow |
获取训练对话流程详情 | ./openapi/dialogue-flow/api-index.md |
./examples/dialogue-flow/README.md |
./scripts/dialogue-flow/\x3Cendpoint>.py |
能力树(实际目录结构):
cms-tbs-training/
├── SKILL.md
├── openapi/
│ ├── home/
│ │ ├── api-index.md
│ │ ├── summary.md
│ │ ├── learning-videos.md
│ │ └── product-scenes.md
│ ├── drug/
│ │ ├── api-index.md
│ │ ├── drug-list.md
│ │ ├── scene-list.md
│ │ ├── scene-list-by-drug.md
│ │ ├── scene-doctor-titles.md
│ │ └── scene-hotwords.md
│ ├── speech/
│ │ ├── api-index.md
│ │ ├── speech-detail.md
│ │ ├── speech-finish.md
│ │ └── speech-records.md
│ ├── training/
│ │ ├── api-index.md
│ │ ├── my-stats.md
│ │ ├── records.md
│ │ └── records-detail.md
│ ├── learning/
│ │ ├── api-index.md
│ │ ├── video-detail.md
│ │ ├── video-progress-get.md
│ │ └── video-progress-save.md
│ ├── prepare/
│ │ ├── api-index.md
│ │ ├── opening-guidance.md
│ │ └── opening-guidance-clear.md
│ ├── gpts/
│ │ ├── api-index.md
│ │ ├── app-detail.md
│ │ ├── session.md
│ │ ├── sse-suggest.md
│ │ └── del-user-token.md
│ ├── basic/
│ │ ├── api-index.md
│ │ ├── gpt-id.md
│ │ └── tts-config.md
│ ├── scene-image/
│ │ ├── api-index.md
│ │ └── reset.md
│ ├── file/
│ │ ├── api-index.md
│ │ └── upload-by-url.md
│ ├── feedback/
│ │ ├── api-index.md
│ │ ├── app-detail.md
│ │ └── gpt-id.md
│ ├── training-flow/
│ │ ├── api-index.md
│ │ ├── drugs.md
│ │ ├── records.md
│ │ └── scenes.md
│ └── dialogue-flow/
│ ├── api-index.md
│ └── get-flow-detail.md
├── examples/
│ ├── home/README.md
│ ├── drug/README.md
│ ├── speech/README.md
│ ├── training/README.md
│ ├── learning/README.md
│ ├── prepare/README.md
│ ├── gpts/README.md
│ ├── basic/README.md
│ ├── scene-image/README.md
│ ├── file/README.md
│ ├── feedback/README.md
│ ├── training-flow/README.md
│ └── dialogue-flow/README.md
└── scripts/
├── home/
│ ├── README.md
│ ├── summary.py
│ ├── learning-videos.py
│ └── product-scenes.py
├── drug/
│ ├── README.md
│ ├── drug-list.py
│ ├── scene-list.py
│ ├── scene-list-by-drug.py
│ ├── scene-doctor-titles.py
│ └── scene-hotwords.py
├── speech/
│ ├── README.md
│ ├── speech-detail.py
│ ├── speech-finish.py
│ └── speech-records.py
├── training/
│ ├── README.md
│ ├── my-stats.py
│ ├── records.py
│ └── records-detail.py
├── learning/
│ ├── README.md
│ ├── video-detail.py
│ ├── video-progress-get.py
│ └── video-progress-save.py
├── prepare/
│ ├── README.md
│ ├── opening-guidance.py
│ └── opening-guidance-clear.py
├── gpts/
│ ├── README.md
│ ├── app-detail.py
│ ├── session.py
│ ├── sse-suggest.py
│ └── del-user-token.py
├── basic/
│ ├── README.md
│ ├── gpt-id.py
│ └── tts-config.py
├── scene-image/
│ ├── README.md
│ └── reset.py
├── file/
│ ├── README.md
│ └── upload-by-url.py
├── feedback/
│ ├── README.md
│ ├── app-detail.py
│ └── gpt-id.py
├── training-flow/
│ ├── README.md
│ ├── drugs.py
│ ├── records.py
│ └── scenes.py
└── dialogue-flow/
├── README.md
└── get-flow-detail.py
安全使用建议
What to check before installing/using:
- Confirm provenance of the skill and of the cms-auth-skills dependency. The SKILL.md instructs running 'npx ... install' and has a GitHub fallback—do not run those commands unless you trust both packages/repos.
- Expect to provide dynamic access tokens (access-token / XG_* env vars) to access most endpoints; the skill metadata did not declare these, so plan how tokens will be provided and stored securely (avoid pasting tokens into public logs or shared shells).
- Review the included Python scripts before executing them — they will be run locally and may make network calls to the listed domains (production and a test domain is present in docs). Verify endpoints and the embedded appkey if that matters for your environment.
- Prefer installing the cms-auth-skills dependency from a pinned, audited source (specific version or internal registry) rather than running the unpinned 'latest' npx command or an arbitrary GitHub URL.
- If you cannot audit the dependency or do not trust the source, avoid allowing runtime installation and instead request the maintainer supply a verified bundle or remove the runtime install step.
- Because the skill will interact with authenticated corporate APIs, do not run it on shared/public machines with broad credential access. If you need help assessing the cms-auth-skills repo or the included scripts, get a code review from a trusted developer or security reviewer first.
功能分析
Type: OpenClaw Skill
Name: cms-tbs-training
Version: 0.80.0
The skill bundle exhibits a systematic security vulnerability where nearly all execution scripts (e.g., scripts/basic/gpt-id.py, scripts/gpts/sse-suggest.py, and scripts/file/upload-by-url.py) explicitly disable SSL certificate verification using ssl.CERT_NONE, which exposes the agent to Man-in-the-Middle (MITM) attacks. Additionally, SKILL.md contains instructions to force-install a dependency from an external GitHub repository (spzwin/cms-auth-skills.git), introducing a potential supply chain risk. While the code logic appears consistent with the stated purpose of interacting with the TBS training platform (mediportal.com.cn), these high-risk implementation flaws warrant a suspicious classification.
能力评估
Purpose & Capability
Name/description align with the provided OpenAPI docs and the provided Python scripts; the repository contains matching openapi/ and scripts/ entries for the advertised capabilities. However the published metadata declares no required environment variables or primary credential while the docs and examples clearly rely on dynamic access tokens (access-token) and XG_* environment variables for authenticated endpoints—this is a mismatch that should be reconciled.
Instruction Scope
SKILL.md enforces always executing local Python scripts and explicitly instructs the agent to install a dependency skill (cms-auth-skills) if missing using 'npx clawhub@latest install ...' or a GitHub URL. It also instructs setting environment variables (XG_USER_TOKEN, XG_CORP_ID, XG_EMPLOYEE_ID, XG_PERSON_ID) for core flows. The install-via-npx and fallback-to-GitHub steps are out-of-band operations that fetch/execute external code at runtime and therefore expand the skill's effective scope beyond just calling the TBS APIs.
Install Mechanism
There is no formal install spec, but SKILL.md tells the agent to run 'npx clawhub@latest install cms-auth-skills --force' (and as a fallback install from a GitHub repo). That runtime installation downloads and executes third-party code (npm or a GitHub repo) — a non-trivial risk because the fetched package code may change and is not pinned. The skill's own package does include many Python scripts (so local execution is possible), but the explicit npx/GitHub install step is the highest-risk install behavior present.
Credentials
Skill registry metadata lists no required env vars or credentials, yet examples and docs require exporting tokens (XG_USER_TOKEN, XG_CORP_ID, XG_EMPLOYEE_ID, XG_PERSON_ID) and many API endpoints need an access-token header. The skill also hardcodes an appkey value in documentation. This mismatch (undocumented required secrets) is a material concern: the skill needs authenticated credentials to function for many endpoints but the metadata does not declare them, which can lead to unexpected requests for or handling of secrets at runtime.
Persistence & Privilege
The skill does not request 'always: true' and does not itself assert modifications to system-wide config. However the runtime instruction to install cms-auth-skills via npx/GitHub will modify the agent's skill set (installing a dependency skill) and thus changes the agent environment. This is not necessarily malicious but should be considered a privileged action and reviewed before allowing.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install cms-tbs-training - 安装完成后,直接呼叫该 Skill 的名称或使用
/cms-tbs-training触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.80.0
cms-tbs-training v0.80.0
- 全面重构能力索引,明确13大功能模块及能力树,支持灵活模块路由与能力加载
- 强制所有API调用均需通过对应Python脚本执行,不允许跳过或直接调用
- 完善权限依赖与鉴权流程,集成cms-auth-skills模块,并给出自动/手动安装指引
- 详细列出每个模块的推荐工作流、访问入口(openapi、examples、scripts)及必需参数规范
- 新增统一安全宪章与强制规则,覆盖脚本语言、重试策略、数据安全与只读/输出规范
- 提供可视化的模块-能力-接口-脚本映射表,便于按需加载和能力查找
元数据
常见问题
Cms Tbs Training 是什么?
TBS训战平台用户端API封装,支持首页聚合、药品场景查询、PPT演讲、训战记录、学习视频、GPTS交互、训练发起等功能. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 96 次。
如何安装 Cms Tbs Training?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install cms-tbs-training」即可一键安装,无需额外配置。
Cms Tbs Training 是免费的吗?
是的,Cms Tbs Training 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Cms Tbs Training 支持哪些平台?
Cms Tbs Training 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Cms Tbs Training?
由 spzwin(@spzwin)开发并维护,当前版本 v0.80.0。
推荐 Skills