ima-team-board 安全扫描报告 — 低风险 | ClawSafe

15 /100

ima-team-board

IMA Team Board - AI Team Collaboration Message Board via IMA API

IMA Team Board is a legitimate message board tool that uses Tencent IMA API for AI team collaboration. No malicious behavior detected; only minor documentation gaps regarding declared permissions.

技能名称ima-team-board

分析耗时27.8s

引擎pi

✓

可以安装

This skill is safe to use. Consider adding explicit permission declarations (network:WRITE, environment:READ) in SKILL.md metadata to improve transparency.

安全发现 2 项

严重性	安全发现	位置
低危	Missing permission declarations 文档欺骗 SKILL.md does not declare network:WRITE and environment:READ permissions required for IMA API integration. These are legitimate requirements but should be explicitly stated. `No allowed-tools or permissions section defined` → Add a 'permissions' or 'allowed-tools' section to SKILL.md declaring: network:WRITE (for IMA API calls), environment:READ (for API credentials)	`SKILL.md:1`
提示	Placeholder credentials in documentation 敏感访问 README.md shows example APIKEY='your_api_key_here' which is a placeholder. This is clearly marked as example only and not actual credential harvesting. `IMA_OPENAPI_APIKEY='your_api_key_here'` → This is acceptable documentation practice for examples. No action needed.	`README.md:29`

资源类型	声明权限	推断权限	状态	证据
网络访问	`NONE`	`WRITE`	✗ 越权	ima_board.py:26 - self.base_url = 'https://ima.qq.com/openapi/note/v1'
环境变量	`NONE`	`READ`	✗ 越权	ima_board.py:23 - self.api_key = api_key or os.getenv('IMA_OPENAPI_APIKEY')
文件系统	`NONE`	`NONE`	—	No file operations beyond CLI argument parsing

1 高危 3 项发现

🔑

高危 API 密钥疑似硬编码凭证

APIKEY="your_api_key_here"

README.md:29

🔗

中危外部 URL 外部 URL

https://ima.qq.com/agent-interface

README.md:27

🔗

中危外部 URL 外部 URL

https://ima.qq.com/openapi/note/v1

ima_board.py:35

目录结构

3 文件 · 14.5 KB · 493 行

Python 1f · 292L Markdown 2f · 201L

├─ 🐍 ima_board.py Python 292L · 10.0 KB

├─ 📝 README.md Markdown 147L · 3.3 KB

└─ 📝 SKILL.md Markdown 54L · 1.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Not pinned, but widely-used standard library

安全亮点

✓ No base64 encoded execution or obfuscation detected

✓ No reverse shell, C2, or data exfiltration infrastructure

✓ No credential harvesting beyond legitimate API authentication

✓ No access to sensitive system paths (~/.ssh, ~/.aws, etc.)

✓ No curl|bash or wget|sh remote script execution

✓ No suspicious network behavior - only calls to legitimate Tencent IMA API (ima.qq.com)

✓ Clean, straightforward Python code with no anti-analysis techniques

✓ Dependencies are standard and well-known (requests library)