Is anshumanbh/anshumanbh-qmd safe?

https://github.com/openclaw/skills/tree/main/skills/anshumanbh/anshumanbh-qmd

89
SAFE

This skill is a clean CLI wrapper for the 'qmd' markdown search tool with no malicious content in its SKILL.md. The primary risk is the supply chain dependency on an external GitHub package (tobi/qmd) installed via 'bun install -g', which is only triggered during optional setup. No prompt injection, data exfiltration, canary access, or suspicious clone-time behavior was detected.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (5)

MEDIUM External package installation from GitHub URL -20

The skill's setup section instructs the agent to run 'bun install -g https://github.com/tobi/qmd', which downloads and installs a package directly from a GitHub repository. Unlike npm registry packages, this bypasses automated security scanning and could run arbitrary postinstall scripts. The installed package's behavior is outside the scope of this audit.

LOW User-controlled arguments passed to shell commands -10

The skill passes $ARGUMENTS directly to qmd shell commands (e.g., 'qmd search "$ARGUMENTS"'). While this is the expected pattern for a CLI wrapper skill, improper quoting by the agent could allow shell metacharacter injection. The risk depends on the agent's command construction behavior.

LOW Shell command execution pattern -5

The skill's workflow involves executing multiple shell commands: checking for qmd installation ('which qmd'), listing collections ('qmd collection list'), and running searches. This is appropriate for a CLI tool wrapper but grants the skill shell access by design.

INFO Indexes user markdown files by design -5

The skill's core purpose is indexing and searching user markdown files (e.g., Obsidian vaults). While this is the stated and expected functionality, users should be aware that the external qmd tool will have read access to their knowledge bases.

INFO Unrelated lock.json entry -5

The .clawhub/lock.json file references an unrelated skill 'academic-research-hub'. This appears to be a benign artifact from the skill registry system, not a dependency or security concern.