Is aryannate/qmd-skill-4 safe?

The skill's install metadata specifies 'bun install -g https://github.com/tobi/qmd', which installs a binary globally from a GitHub repository not covered by this audit. The qmd binary, once installed, has persistent access to any file paths the user has indexed into collections. Any malicious code introduced into the tobi/qmd repository — now or in a future update — would not be detected by auditing this skill wrapper alone. The binary also auto-downloads GGUF model files on first semantic search invocation, creating additional unmonitored network egress outside the clone monitoring window.

Inotify and auditd PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json were opened at timestamps 1771919348.085–086 (pre-clone, 5 seconds before git clone begins) and again at 1771919372.872 (post-install, during final monitoring wrap-up). The canary integrity check authoritatively confirms all files are intact with no modification. Temporal analysis places the first access during sudo/SSH session authentication setup and the second during post-install canary verification — both consistent with audit framework activity rather than the skill. No skill-installed process is associated with these reads in the EXECVE audit log.

When the skill is active, the agent is instructed to use 'qmd get path/to/file.md' and 'qmd multi-get' commands that return full document content. If a user has indexed directories containing sensitive information (credentials in markdown files, notes with passwords, private keys stored as text), a benign-seeming user query ('find my notes on AWS') could cause the agent to retrieve and expose that content. The '--full' flag returns complete document content with no size limit mentioned.

SKILL.md includes cron scheduling examples ('0 * * * * export PATH=... && qmd update') and explicitly suggests 'If your Clawdbot/agent environment supports a built-in scheduler, you can run the same commands there.' An agent following these instructions could configure scheduled persistence on the user's machine. While the stated purpose is index freshness, an attacker could leverage this pattern in combination with a malicious skill to establish a foothold.

The installation made a single TCP connection to 140.82.121.4:443 (github.com) for the git sparse-checkout clone of the skills monorepo. This connection closed cleanly after install. No new persistent connections, listening ports, or background processes were observed post-installation.

Full review of SKILL.md found no hidden instructions, invisible unicode characters, HTML/markdown comment tricks, persona-switching requests, or attempts to override system instructions. All content is legitimate documentation for a CLI tool. The frontmatter, trigger phrases, command examples, and performance notes are consistent with a genuine tool integration.