ClawHub

ima skills

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its IMA notes and knowledge-base purpose, but it needs review because it can use your IMA credentials more broadly than the docs disclose.

Install only if you trust the publisher and intend to let an agent access and modify your IMA notes and knowledge bases. Keep IMA_BASE_URL unset or restricted to the official IMA service, protect the API key, and manually review note creation, appends, file uploads, URL imports, and knowledge-base writes before approving them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill performs an out-of-band self-update check on every API call (except the update endpoint itself), which is unrelated to the declared note/knowledge-base functionality and is not disclosed to the user. This creates hidden network behavior and allows a remote service to influence execution flow by causing the tool to emit update metadata and abort with a special error code.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The exported API accepts an arbitrary apiPath and forwards it directly to the remote service with valid credentials, rather than enforcing only note and knowledge-base operations described by the skill. This turns the skill into a generic authenticated proxy to the IMA backend, potentially enabling access to unintended or higher-risk endpoints if a caller supplies a different path.

Vague Triggers

High
Confidence
95% confidence
Finding
The skill description contains very broad trigger phrases such as requests to 'remember', 'record', or access personal documents, which can cause the skill to activate for ordinary conversation that does not clearly require external knowledge-base or note actions. Over-broad invocation increases the chance of unnecessary tool use, unintended data access, and accidental writes to a user's notes or knowledge base without sufficiently specific intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs callers to send `ima-openapi-clientid` and `ima-openapi-apikey` in request headers but provides no guidance on secret handling, storage, redaction, or avoiding exposure in logs and transcripts. In an agent-skill context, operators or downstream tooling may surface these values in debugging output or prompts, increasing the risk of credential leakage and unauthorized API use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-decision guidance encourages uploading files, URLs, notes, and personal documents to a remote knowledge-base service without a clear user-facing disclosure that the content leaves the local environment and is transmitted to `ima.qq.com`. Because the skill explicitly covers personal notes, documents, and web imports, missing consent and data-handling warnings can lead to unintended disclosure of sensitive or regulated information.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrase for note search is broad enough that ordinary requests containing words like '搜索' or '找' could activate the skill even when the user did not intend a note-search action. In a skill that can access private notes, unintended activation can expose metadata or content from a user's personal knowledge base, making this more dangerous than a generic routing ambiguity.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The creation trigger includes broad phrases such as '生成笔记' or '把这段内容保存为笔记', which can overlap with common assistant behavior and cause persistent writes without sufficiently explicit user intent. Because this skill can create durable user data, accidental activation is more severe than a read-only mistake and may result in unwanted storage of sensitive or incorrect content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation enables note creation and append operations but does not require a user-facing warning or confirmation that these actions modify persistent personal data. In the context of a notes and knowledge-base skill, silent writes can lead to unauthorized or accidental changes, persistence of sensitive information, and user confusion about what was stored or altered.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal