ima-notes
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
ima_notes_tool.pyscript utilizessubprocess.runto execute a secondary local script,ima_tool.py, for command orchestration. The execution uses a list of arguments with the current Python interpreter, which is a safe practice to avoid shell injection. - [EXTERNAL_DOWNLOADS]: The skill makes network requests to
https://ima.qq.comusing theurllib.requestlibrary. This is the official endpoint for the IMA OpenAPI, a well-known service from Tencent. - [DATA_EXFILTRATION]: The tool provides functionality to read local files via the
--content-fileargument in thecreate-noteandappend-notecommands. This data is then transmitted to the IMA API. This is an intended feature for document import and follows the primary purpose of the skill. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes external data.
- Ingestion points: Note content is retrieved via the IMA API (
read-note) and local files can be read via the--content-fileargument. - Boundary markers: The instructions do not define delimiters or warnings for the agent to ignore instructions embedded within note content.
- Capability inventory: The skill has the ability to read local files and perform network operations via API calls.
- Sanitization: There is no evidence of content sanitization or validation before the data is presented to the agent.
- [CREDENTIALS_UNSAFE]: The skill manages API credentials (
client_idandapi_key) through a configuration file or environment variables. Instructions are provided for the agent to assist in setting up these credentials, which is a standard configuration procedure.
Audit Metadata