ClawHub

Tencent Ima Skill Publish

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its IMA notes and knowledge-base purpose, but it needs Review because it exposes broad credentialed API access and remote write/upload capability without tight path and domain scoping.

Install only if you trust the publisher with your Tencent IMA notes, knowledge bases, and API key. Before use, verify the skill cannot be invoked with arbitrary apiPath/baseUrl values, protect ~/.hermes/.env, and be careful with upload-file and append/new-note operations because they can transmit or persist sensitive content remotely.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill performs a hidden update check against a remote endpoint and writes a local timestamp file outside the user-declared knowledge-base/note functionality. This creates undocumented network and filesystem side effects, and the server-controlled update metadata can influence behavior by causing the tool to abort normal execution with an update-required condition.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The exported API wrapper accepts an arbitrary apiPath and sends authenticated requests to `${baseUrl}/${apiPath}` with loaded credentials, rather than enforcing only note/knowledge-base operations described by the skill. This means any caller able to influence apiPath or baseUrl can expand the skill's effective permissions and invoke unintended backend actions with the user's credentials.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The document explicitly instructs the skill to request whatever URL the remote API returns and to attach service-provided headers when doing so. That expands the skill from calling a fixed vendor API into a general outbound fetcher with credentialed requests, which can enable SSRF-style access, retrieval of sensitive signed URLs, or unintended access to internal or third-party resources if the returned URL is ever influenced or compromised.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The requirements summary explicitly states the skill was extended with discovery of 5 undocumented endpoints, which broadens functionality beyond the declared notebook/knowledge-base use case. Using undocumented APIs increases the chance of unintended data access, unstable behavior, or bypass of normal product guardrails because those endpoints are not part of the reviewed, documented contract.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The changelog explicitly documents active endpoint probing and proposes cookie-based automation to achieve delete/move/rename behaviors outside the documented OpenAPI surface. That materially increases risk because it normalizes unsupported access patterns that may bypass intended product controls, expose session cookies, and lead to unauthorized or destructive actions against user content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to append long-lived API credentials directly into ~/.hermes/.env, creating persistent local secret storage without any warning about leakage risks, backups, shell history, or multi-user host exposure. In a skill that performs networked API calls and file uploads, compromising this file could allow unauthorized access to the user's IMA account and associated knowledge data.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger conditions are unusually broad and include generic phrases like '帮我记一下' and personal document access patterns, which can cause the skill to activate for ordinary conversation or unrelated note-taking intents. Over-broad activation increases the chance of unnecessary access to notes, knowledge-base contents, or upload flows without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The upload-file workflow performs a full remote write pipeline—duplicate-name check, media creation, cloud upload, and add_knowledge—without any interactive confirmation or explicit warning that local files will be transmitted to Tencent/COS services. In an agent-skill context, this increases the risk of accidental exfiltration or unintended remote persistence of sensitive local files when a higher-level agent invokes the command on the user's behalf.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The skill is designed to upload files, import URLs, and retrieve original content from a remote Tencent service, yet the documentation provides no user-facing disclosure or consent guidance around transmitting user data off-platform. In a skill that handles personal notes, documents, and web content, that omission increases the risk of silent exfiltration of sensitive user material to external services.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrase for search is broad enough that normal conversational requests like 'search' or 'find' could invoke the note skill unintentionally. In a privacy-sensitive notes context, accidental activation can expose note titles, metadata, or contents when the user did not clearly intend to access personal notes.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The create/import note trigger includes broad phrases like saving content as a note without requiring strong confirmation boundaries. Because this is a write operation affecting user data, ambiguous activation can cause unintended persistence of content into a user's notes, creating privacy, integrity, and consent issues.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation describes note creation and append operations but does not require an explicit user-impact warning or confirmation before modifying persistent user data. In this skill context, silent writes are more dangerous because notes are personal records; accidental or prompt-induced writes could alter or store sensitive information without the user's informed consent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal