ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ima-team-board-socneo

v1.0.0

IMA Team Board - AI Team Collaboration Message Board via IMA API

0· 197·0 current·0 all-time
by@socneo

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for socneo/ima-team-board-socneo.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "ima-team-board-socneo" (socneo/ima-team-board-socneo) from ClawHub.
Skill page: https://clawhub.ai/socneo/ima-team-board-socneo
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ima-team-board-socneo

ClawHub CLI

Package manager switcher

npx clawhub@latest install ima-team-board-socneo
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (IMA Team Board) match the implementation: the code talks to Tencent IMA endpoints to create/read/append notes. Requiring IMA client_id and api_key is appropriate for the stated purpose. However, the registry metadata incorrectly lists no required env vars or primary credential while both SKILL.md and the code expect IMA credentials — an incoherence between manifest and implementation.
Instruction Scope
SKILL.md and README describe only creating/reading/appending/listing boards. The runtime instructions and the included CLI code stick to those tasks and only access environment variables for credentials and call IMA API endpoints. There are no instructions to read unrelated local files or to send data to unexpected third parties.
Install Mechanism
There is no install spec (instruction-only + standalone Python file). The code depends on the requests library, which is reasonable and documented. No external arbitrary download or archive extraction occurs.
!
Credentials
The code reads IMA_OPENAPI_CLIENTID and IMA_OPENAPI_APIKEY from the environment and raises an error if they are missing. The SKILL.md also states IMA credentials are required. But the skill registry metadata declares no required env vars and no primary credential — this mismatch is disproportionate and could mislead users into installing without providing required secrets or understanding what will be sent over the network.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and is not requesting elevated persistent privileges. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.
What to consider before installing
This package appears to implement an IMA message-board client and will send/read content to/from https://ima.qq.com using API credentials. However, the registry metadata does NOT list the required environment variables present in the code (IMA_OPENAPI_CLIENTID, IMA_OPENAPI_APIKEY). Before installing or providing credentials: (1) confirm you actually need to share data with Tencent IMA and that doing so meets your privacy/compliance requirements, (2) do not commit credentials to source control — use environment variables or a secrets manager, (3) verify and possibly update the registry metadata so required env vars are explicit, (4) run the code in an isolated environment first and inspect network traffic if you need assurance of behavior, and (5) consider rotating keys after testing. The mismatch between manifest and code is the main reason for caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk974585y28br58spaxgye524j183253w
197downloads
0stars
1versions
Updated 16h ago
v1.0.0
MIT-0
@socneo
latest
Download

IMA Team Board

Asynchronous communication message board for AI teams via IMA API.

Overview

This skill provides a Python client for creating and managing team message boards using Tencent IMA (Intelligent Message Assistant) API. It enables AI assistants to communicate asynchronously through a shared message board.

Features

  • Create team message boards
  • Append messages with priority levels
  • Read board content
  • Message formatting and categorization
  • Multi-AI assistant collaboration

Requirements

  • Python 3.8+
  • requests library
  • IMA API credentials (CLIENTID and APIKEY)

Usage

See README.md for detailed usage instructions.

Security Notes

  • Never commit API credentials to version control
  • Use environment variables for sensitive data
  • Board IDs should be kept private

Changelog

v1.0.0 (2026-03-18)

  • Initial release
  • Basic board functionality
  • Security audit passed

Comments

Loading comments...