Skillv1.1.7

ClawScan security

ima skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 24, 2026, 10:07 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement the advertised IMA notes/knowledge-base functionality, but there are several mismatches and minor risks (missing declared binary requirement, extra/undocumented env-var fallbacks, and writable config/update files) that you should review before installing or supplying credentials.
Guidance: This skill largely does what it says (talks to ima.qq.com and uploads to Tencent COS using temporary credentials), but check a few things before installing or providing credentials: 1) Ensure Node.js (>=18) is available — the scripts require node even though the top-level registry claim omitted it. 2) Prefer environment variables over storing client_id/api_key in plaintext files under ~/.config/ima; if you store files, restrict their filesystem permissions. 3) Verify no IMA_BASE_URL / IMA_LAST_CHECK_FILE / alternate env vars are set to untrusted values on your system, because the code will honor those and could redirect requests. 4) Understand the skill will write ~/.config/ima/last_update_check and may call the ima openapi/check_skill_update endpoint (to check for updated skill versions). 5) If you have confidentiality concerns, review the included .cjs files yourself (they are present and readable) to confirm there are no unexpected network endpoints — the code shows requests to ima.qq.com and to COS bucket hostnames only. If you want higher assurance, run the skill in an isolated environment or with test credentials first.

Review Dimensions

Purpose & Capability: noteThe skill's code and SKILL.md implement a notes + knowledge-base client against ima.qq.com (APIs, create_media → COS upload, notes endpoints). Requested credentials (IMA_OPENAPI_CLIENTID/IMA_OPENAPI_APIKEY) align with the stated purpose. However, registry metadata in the top-level manifest claims no required runtime binaries while meta.json and the scripts clearly expect Node.js; that mismatch is a coherence issue (node is required to run the included .cjs scripts).
Instruction Scope: noteRuntime instructions call the included Node scripts (preflight-check.cjs, cos-upload.cjs, ima_api.cjs) and describe workflows for file upload, duplicate checks, and note operations. The SKILL.md and scripts read credentials from ~/.config/ima/* or environment variables, run PUT uploads to *.myqcloud.com using temporary COS credentials, and write a last-update-check file to ~/.config/ima/last_update_check. Those behaviors are consistent with the stated flows, but the update-check and config-file reads/writes are side-effects the user should know about.
Install Mechanism: noteThere is no external download/install spec (no remote archive or installer), which reduces supply-chain risk. The skill includes local .cjs scripts that will be executed by Node. The main concern is the manifest discrepancy: the skill did not declare 'node' as a required binary in the top registry fields even though meta.json and SKILL.md use Node.js—this may cause runtime surprises.
Credentials: concernThe skill asks only for IMA OpenAPI credentials, which is appropriate for the API. However: (1) ima_api.cjs accepts alternate env var names (IMA_CLIENT_ID/IMA_API_KEY) beyond the declared ones—undocumented fallbacks broaden the set of variables that control behavior; (2) ima_api.cjs and SKILL.md allow overriding the base URL via IMA_BASE_URL (and last_check file via IMA_LAST_CHECK_FILE), meaning requests can be redirected from the claimed official endpoint if env vars/options are changed; (3) SKILL.md suggests storing credentials in plaintext files under ~/.config/ima, which is convenient but increases risk if that directory is readable by others. These widen the attack surface beyond the minimal credential use claimed in the security note.
Persistence & Privilege: noteThe skill does not request always:true or system-wide privileges. It does write a small last-update-check file to ~/.config/ima and reads/stores credentials in ~/.config/ima if the user follows the recommended setup. Writing to that per-user config path is scoped and expected for CLI-like skills, but it is a persistent side-effect worth noting.