Skills
skills/hyddd/ima_agent_skill/ima-agent-skill/Gen Agent Trust Hub

ima-agent-skill

Fail

Audited by Gen Agent Trust Hub on Mar 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The SKILL.md file defines the ima_search tool using a shell command string that interpolates the {query} parameter inside double quotes: /usr/bin/python3 .../ima.py "{query}". An attacker can break out of the quotes by providing a query such as "; <malicious_command>; #", leading to arbitrary command execution on the host system.
  • [DATA_EXFILTRATION]: The script scripts/ima.py is designed to read a local configuration file (config.json or ~/.clawd_ima_config.json) to retrieve a knowledge_id. This exposes local configuration data to the agent context.
  • [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It performs searches on ima.qq.com and extracts the full DOM text using Runtime.evaluate. Malicious instructions embedded in search results or the target website could be ingested by the agent. The skill lacks boundary markers or sanitization for the extracted content.
  • [EXTERNAL_DOWNLOADS]: The skill makes local network requests to http://127.0.0.1:8315/json/version and http://127.0.0.1:8315/json/new to manage the IMA application. While targeted at localhost, this interaction with the Chrome DevTools Protocol allows for controlling the browser instance and executing arbitrary JavaScript via Runtime.evaluate.
Recommendations
  • HIGH: Downloads and executes remote code from: http://{host}:{port}/json/version - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 17, 2026, 07:59 PM