ima skills(中文-精炼版)
v1.0.2统一IMA OpenAPI技能,支持笔记管理和知识库操作。 触发:知识库、资料库、笔记、上传文件、添加网页、搜索内容。
⭐ 1· 498·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (IMA OpenAPI note & knowledge-base operations) align with the included scripts and SKILL.md. Required env vars (IMA_OPENAPI_CLIENTID, IMA_OPENAPI_APIKEY) are exactly what the scripts use to authenticate to ima.qq.com. Network hosts enumerated (ima.qq.com and *.myqcloud.com) match the code paths (API requests to ima.qq.com and COS upload to *.myqcloud.com).
Instruction Scope
SKILL.md and the scripts only call the declared IMA API and Tencent COS endpoints and read credentials from the declared config paths or environment variables. However, create-media.cjs writes COS credentials to a temporary file (in /tmp or TMPDIR) for downstream scripts to consume, and cos-upload.cjs supports reading a credential file or command-line secret arguments. Writing sensitive COS credentials to world-readable temporary locations can increase exposure on multi-user systems; the scripts attempt to delete the cred-file after use but deletion/error-handling is best-effort.
Install Mechanism
No install spec; this is instruction-only with bundled scripts. All included code is present in the bundle (no downloads or remote installers), so nothing is fetched from untrusted URLs at install time.
Credentials
The skill only declares two primary env vars (IMA_OPENAPI_CLIENTID, IMA_OPENAPI_APIKEY), which are appropriate. Additional credentials (COS secret_id/secret_key/token) are used only for uploads and are either returned by create-media or accepted as arguments/temporary files. That behaviour is coherent but results in transient handling of extra secrets that the SKILL.md does not list as required env vars—expect the upload flow to require additional credentials and take care with temporary file handling.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform-level privileges. It does not modify other skills or global agent configuration beyond writing temporary files for upload flows (its own transient artifacts).
Assessment
This skill appears to do what it says (manage notes and knowledge bases on ima.qq.com) and only needs your IMA API credentials. Before installing or running it: 1) Only provide IMA_OPENAPI_CLIENTID and IMA_OPENAPI_APIKEY to trusted agents; these are sent to ima.qq.com as intended. 2) Be cautious when using the file-upload flow: create-media.cjs will write COS upload credentials to a temporary file (e.g., /tmp/ima-cos-cred-*.json) for the cos-upload step; on multi-user systems this can expose secrets—prefer passing credentials via secure channel or ensure temp-dir permissions are secure and delete files promptly. 3) Verify the source (homepage and owner) if you need stronger assurance—this bundle includes many scripts, so run them in a sandbox or review the code if you have sensitive data. 4) Rotate credentials if you suspect they were exposed during testing. If you want me to flag exact lines or suggest safer changes (e.g., use OS-level secure storage instead of temp files), I can point them out.Like a lobster shell, security has layers — review code before you run it.
latestvk97embqfh4z40ztfdh2nqts5zx83tv1a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔧 Clawdis
EnvIMA_OPENAPI_CLIENTID, IMA_OPENAPI_APIKEY
Primary envIMA_OPENAPI_CLIENTID