Tencent IMA Skill

What to consider before installing: - This skill will launch your local IMA desktop app (expects it at /Applications/ima.copilot.app or ~/Applications/...) and open/connect to its Chrome DevTools debugging port (default 8315). That requires the skill to be able to start a local binary and speak to a debugging websocket — only install if you trust the code. - The core feature is intercepting and modifying outgoing requests to IMA's /cgi-bin/assistant/qa endpoint to inject your private Knowledge ID. That behavior is intentional for the advertised feature, but it is high-privilege: it modifies network traffic originating from the app. If you are uncomfortable with code that intercepts or mutates requests, do not install. - The Knowledge ID is sensitive. The script sources it from either a config file (skills/ima/config.json) or the environment variable IMA_KNOWLEDGE_ID. Note: the skill metadata did not declare IMA_KNOWLEDGE_ID and SKILL.md mentions an additional config path (~/.clawd_ima_config.json) that the script does not actually check — these documentation mismatches should be corrected. Before using, place the ID in the skill's config.json (and keep that file out of version control) or set the IMA_KNOWLEDGE_ID env var yourself. - The SKILL.md's example invocation references a hard-coded script path (/opt/homebrew/lib/node_modules/clawdbot/skills/ima/scripts/ima.py) which may not match where the skill is actually installed; verify the path your agent will use. - The code does not appear to exfiltrate data to third-party servers (it interacts with the local CDP and the official ima.qq.com endpoint). Still, if you have strict privacy requirements, run this in an isolated environment or inspect/approve the script before enabling. Recommended actions: verify the app path and the script location, confirm or set the Knowledge ID in the config or environment, and review the scripts yourself (or run in a sandbox) before granting the agent permission to invoke this skill autonomously.