Ima Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a legitimate IMA notes and knowledge-base integration, but it needs your IMA API credentials and can read or change your notes and knowledge-base content when you ask it to.
Install this only if you want an agent to manage your IMA notes and knowledge base. Protect the IMA API key, confirm any operation that changes existing notes, and upload only files or URLs you are comfortable sending to IMA/Tencent COS.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing it must trust the skill with credentials that can access their IMA notes and knowledge-base data.
The skill requires user-provided IMA OpenAPI credentials and may read them from a local config file; this is expected for the integration but grants account-level access to IMA APIs.
requires: { env: ['IMA_OPENAPI_CLIENTID', 'IMA_OPENAPI_APIKEY'] } ... echo "your_api_key" > ~/.config/ima/api_key ... Agent 会按优先级依次尝试:环境变量 → 配置文件。Use credentials intended for this integration, keep the config file private, and rotate the API key if it may have been exposed.
A mistaken append could permanently add content to the wrong note, though the skill’s instructions try to prevent that.
The skill can mutate existing notes through append operations, but the artifact clearly labels this as sensitive and requires confirmation when the target note is unclear.
`append_doc` 会**不可撤销地修改**用户的现有笔记,因此必须谨慎处理 ... **必须先向用户确认**,不要自行猜测。
Before allowing append operations, confirm the target note and content; prefer creating a new note when the instruction is ambiguous.
Files uploaded to a knowledge base are transmitted to Tencent COS infrastructure as part of the upload workflow.
The upload helper sends the selected file contents to Tencent COS using temporary upload credentials. This is part of the documented knowledge-base upload flow, but users should notice that uploads involve myqcloud.com as well as ima.qq.com.
const hostname = `${bucket}.cos.${region}.myqcloud.com`; ... req.write(fileContent);Only upload files you intend to add to IMA, and review whether Tencent COS/myqcloud.com is acceptable for your data.