Security audit

IMA OpenAPI

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real IMA notes and knowledge-base integration, but it deserves review because its authenticated helper is broader than the documented note and knowledge-base workflows.

Install only if you intend to let this skill access and modify your IMA notes and knowledge bases. Keep IMA credentials private, avoid setting IMA_BASE_URL or custom options unless you trust the endpoint, and confirm any write, upload, or append operation before it runs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill performs a self-update check against a remote endpoint and writes a local state file under ~/.config/ima/last_update_check, behavior that is outside the declared note/knowledge-base functionality. This expands the skill’s side effects and creates an extra network and filesystem capability that could be abused for tracking, control-flow manipulation, or policy bypass if the update channel or configuration is influenced.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The exported imaApi function and CLI accept an arbitrary apiPath and forward authenticated requests to `${baseUrl}/${apiPath}` using the skill's credentials. Although the skill is described as only handling notes and knowledge-base operations, this implementation can invoke any IMA OpenAPI endpoint reachable by those credentials, materially broadening the accessible attack surface.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill advertises trigger phrases such as '帮我记一下' and broadly maps ordinary speech about remembering, saving, or searching personal documents to this capability. That can cause over-invocation on ambiguous user requests, leading the agent to access note or knowledge-base functions when the user may not have intended external data storage or retrieval.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrase for searching notes is broad enough that common conversational requests like 'search' or 'find' could activate the skill without a clear note-related intent. In a privacy-sensitive note system, accidental invocation can expose note metadata or contents via search results when the user did not intend to access this data path.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: Phrases like 'new note' or 'import note' are underspecified and can overlap with general content-generation or file-handling requests. This can lead to unintended writes to a user's note account, causing silent persistence of data the user did not explicitly authorize to store.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: Triggers such as 'list notebooks' or 'what categories are there' are semantically broad and may refer to unrelated systems, not the user's private notes. In this skill's context, misrouting such requests can reveal notebook names, folder structure, or other private organizational metadata.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The documentation covers searching and retrieving private note contents but does not clearly disclose that user queries and note data are transmitted to an external API service. Because the skill handles private notes, this omission weakens informed consent and increases privacy risk if users assume processing is local or confined to the chat environment.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal