IMA知识库上传
PassAudited by ClawScan on May 11, 2026.
Overview
This instruction-only skill is a coherent IMA knowledge-base upload helper, but users should protect the required credentials, confirm the target knowledge base, and trust the external helper scripts it references.
This skill appears purpose-aligned for uploading documents to IMA. Before installing or using it, make sure you trust the referenced ima-skill helper code, store the IMA and COS credentials securely, and confirm the file and KB_ID every time to avoid uploading sensitive content to the wrong knowledge base.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using these credentials through the workflow may be able to create notes or add content to the configured IMA knowledge bases.
The skill requires IMA API credentials so it can act on the user's IMA account; this is expected for an upload integration but is sensitive authority.
requires:\n env:\n - IMA_OPENAPI_CLIENTID\n - IMA_OPENAPI_APIKEY
Use least-privilege credentials where possible, keep the environment variables private, and revoke or rotate them if the skill is no longer needed.
Uploading the wrong file or using the wrong knowledge-base ID could place content in an unintended IMA knowledge base.
The documented workflow performs remote API actions that create notes/media and add them to a knowledge base. This matches the skill purpose, but it is still an account-mutating operation.
import_doc → add_knowledge ... create_media → COS上传 → add_knowledge
Before running the workflow, confirm the exact file, title, and KB_ID, especially when using the hard-coded example knowledge-base IDs.
Actual credential handling and API behavior depend on the external ima-skill files, not just this instruction-only skill.
The skill references helper code from another local skill path that is not included in the reviewed manifest, so this review cannot assess that helper's behavior.
const api = require('C:\\Users\\shibi\\.openclaw\\skills\\ima-skill\\ima_api.cjs');Install the referenced ima-skill only from a trusted source and review its helper scripts before using this workflow with real credentials.
Private or regulated documents could be stored in an external knowledge base if selected for upload.
The workflow sends document content or files to IMA/COS as part of the upload process. This is disclosed and purpose-aligned, but it is a sensitive data flow.
content: markdownContent ... COS上传 ... --file "file"
Upload only approved documents, verify the target knowledge base, and avoid using this workflow for content that should not leave the local environment.