Tencent IMA Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is broadly aligned with controlling IMA, but it opens a powerful debugging interface and may expose more private IMA content than just the requested answer.
Install only if you are comfortable letting the agent automate your logged-in IMA app and query your private knowledge base. After use, manually close IMA or verify the debugging port is no longer active, and avoid using private mode for highly sensitive information until output scoping and cleanup are improved.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A private search could return more of your IMA page content than you expected, not just the requested answer.
The script extracts text from the entire visible IMA page body and prints up to 3000 characters, rather than limiting output to the specific answer/result area. In private knowledge mode, this can bring unrelated private account, navigation, history, or page content into the agent context.
return getDeepText(document.body); ... print(final_text[:3000])
Limit DOM extraction to the answer element, redact account/sidebar/history text, and clearly warn users that private IMA content will be returned to the agent.
After use, a powerful local debugging endpoint for the logged-in IMA app may remain available until the app is manually closed.
The skill starts IMA with a local CDP debugging port and wildcard allowed origins. The default autoclose is false, and the only close path calls an undefined close_app function, so the debug-enabled app may remain running after the task.
subprocess.Popen([APP_PATH, f"--remote-debugging-port={CDP_PORT}", "--remote-allow-origins=*"] ...); ... if autoclose: close_app()Implement a working close/cleanup path, default to closing or disabling the debugging session after use, and avoid wildcard remote debugging origins unless strictly necessary.
Installing and using the skill gives the agent a path to query your configured private IMA knowledge base when invoked.
The skill reads a configured IMA knowledge-base ID and uses the local IMA app/session to query private knowledge. This is purpose-aligned, but it is still private account-linked access.
env_id = os.environ.get("IMA_KNOWLEDGE_ID") ... return config.get("knowledge_id")Only configure a knowledge ID you are comfortable exposing to the agent, and review private-search requests before allowing them.
Dependency behavior can vary by installed version or package source.
The README requires a manually installed Python dependency without a pinned version. This is common for instruction-only skills, but users should install it from a trusted package index/environment.
pip3 install websocket-client
Use a trusted Python environment and consider pinning a known-good websocket-client version.