中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:20 hr ago Rescan
15 /100
ima-team-board
IMA Team Board - AI Team Collaboration Message Board via IMA API
IMA Team Board is a legitimate message board tool that uses Tencent IMA API for AI team collaboration. No malicious behavior detected; only minor documentation gaps regarding declared permissions.
Skill Nameima-team-board
Duration27.8s
Enginepi
Safe to install
This skill is safe to use. Consider adding explicit permission declarations (network:WRITE, environment:READ) in SKILL.md metadata to improve transparency.

Findings 2 items

Severity Finding Location
Low
Missing permission declarations Doc Mismatch
SKILL.md does not declare network:WRITE and environment:READ permissions required for IMA API integration. These are legitimate requirements but should be explicitly stated.
No allowed-tools or permissions section defined
→ Add a 'permissions' or 'allowed-tools' section to SKILL.md declaring: network:WRITE (for IMA API calls), environment:READ (for API credentials)
 SKILL.md:1
Info
Placeholder credentials in documentation Sensitive Access
README.md shows example APIKEY='your_api_key_here' which is a placeholder. This is clearly marked as example only and not actual credential harvesting.
IMA_OPENAPI_APIKEY='your_api_key_here'
→ This is acceptable documentation practice for examples. No action needed.
 README.md:29
ResourceDeclaredInferredStatusEvidence
Network NONE WRITE ✗ Violation ima_board.py:26 - self.base_url = 'https://ima.qq.com/openapi/note/v1'
Environment NONE READ ✗ Violation ima_board.py:23 - self.api_key = api_key or os.getenv('IMA_OPENAPI_APIKEY')
Filesystem NONE NONE No file operations beyond CLI argument parsing
1 High 3 findings
🔑
High API Key 疑似硬编码凭证
APIKEY="your_api_key_here"
README.md:29
🔗
Medium External URL 外部 URL
https://ima.qq.com/agent-interface
README.md:27
🔗
Medium External URL 外部 URL
https://ima.qq.com/openapi/note/v1
ima_board.py:35

File Tree

3 files · 14.5 KB · 493 lines
Python 1f · 292L Markdown 2f · 201L
├─ 🐍 ima_board.py Python 292L · 10.0 KB
├─ 📝 README.md Markdown 147L · 3.3 KB
└─ 📝 SKILL.md Markdown 54L · 1.3 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
requests * pip No Not pinned, but widely-used standard library

Security Positives

✓ No base64 encoded execution or obfuscation detected
✓ No reverse shell, C2, or data exfiltration infrastructure
✓ No credential harvesting beyond legitimate API authentication
✓ No access to sensitive system paths (~/.ssh, ~/.aws, etc.)
✓ No curl|bash or wget|sh remote script execution
✓ No suspicious network behavior - only calls to legitimate Tencent IMA API (ima.qq.com)
✓ Clean, straightforward Python code with no anti-analysis techniques
✓ Dependencies are standard and well-known (requests library)