Skillv1.0.1

ClawScan security

Tencent IMA Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 3:29 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with its stated purpose (controlling the IMA desktop app and injecting a private Knowledge ID), but there are a few implementation/documentation mismatches and a minor undeclared environment variable to be aware of.
Guidance: What to consider before installing: - This skill will launch your local IMA desktop app (expects it at /Applications/ima.copilot.app or ~/Applications/...) and open/connect to its Chrome DevTools debugging port (default 8315). That requires the skill to be able to start a local binary and speak to a debugging websocket — only install if you trust the code. - The core feature is intercepting and modifying outgoing requests to IMA's /cgi-bin/assistant/qa endpoint to inject your private Knowledge ID. That behavior is intentional for the advertised feature, but it is high-privilege: it modifies network traffic originating from the app. If you are uncomfortable with code that intercepts or mutates requests, do not install. - The Knowledge ID is sensitive. The script sources it from either a config file (skills/ima/config.json) or the environment variable IMA_KNOWLEDGE_ID. Note: the skill metadata did not declare IMA_KNOWLEDGE_ID and SKILL.md mentions an additional config path (~/.clawd_ima_config.json) that the script does not actually check — these documentation mismatches should be corrected. Before using, place the ID in the skill's config.json (and keep that file out of version control) or set the IMA_KNOWLEDGE_ID env var yourself. - The SKILL.md's example invocation references a hard-coded script path (/opt/homebrew/lib/node_modules/clawdbot/skills/ima/scripts/ima.py) which may not match where the skill is actually installed; verify the path your agent will use. - The code does not appear to exfiltrate data to third-party servers (it interacts with the local CDP and the official ima.qq.com endpoint). Still, if you have strict privacy requirements, run this in an isolated environment or inspect/approve the script before enabling. Recommended actions: verify the app path and the script location, confirm or set the Knowledge ID in the config or environment, and review the scripts yourself (or run in a sandbox) before granting the agent permission to invoke this skill autonomously.

Review Dimensions

Purpose & Capability: okThe name/description (control IMA, inject private knowledge ID, DOM extraction) align with the included script's behavior: launching the local IMA app, connecting to its Chrome DevTools endpoint, intercepting /cgi-bin/assistant/qa requests, injecting knowledge_ids, and extracting DOM text. No unrelated cloud credentials or unrelated binaries are requested.
Instruction Scope: noteThe SKILL.md and script instruct the agent to start a local desktop app, open a CDP debugging socket, intercept and modify outgoing requests, and extract DOM content. This is high-privilege relative to normal read-only search operations (because it alters outgoing requests), but it is coherent with the claimed 'private knowledge injection' feature. Be aware this actively modifies the app's network requests and requires launching the app with remote debugging enabled.
Install Mechanism: okNo install spec is included (instruction-only plus a Python script). The script relies on an existing Python environment and websocket-client; nothing is downloaded from remote URLs and no archives are extracted. This is lower-risk from an installation perspective.
Credentials: concernThe script reads an environment variable IMA_KNOWLEDGE_ID as an alternative source for the Knowledge ID, but the registry metadata lists no required env vars and SKILL.md does not document IMA_KNOWLEDGE_ID. SKILL.md also claims it will look at ~/.clawd_ima_config.json and skills/ima/config.json, but the script only checks skills/ima/config.json (and an environment variable). The Knowledge ID is sensitive; requiring it (via config file or env) is proportionate for the stated feature, but the undeclared env and mismatched config-path documentation are inconsistencies you should resolve before trusting the skill.
Persistence & Privilege: okThe skill does not request permanent 'always' presence, does not modify other skills, and does not install background services. It launches the local app process temporarily and connects to its CDP port; this is transient and in-scope for the described automation.