Is dpaluy/qmd-cli safe?

https://github.com/openclaw/skills/tree/main/skills/dpaluy/qmd-cli

89
SAFE

This skill provides documentation for using the qmd local markdown search tool and appears to be legitimate. The main security concern is that it requires users to install external software from GitHub, introducing supply chain risk.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (2)

MEDIUM External Package Installation Required -30

The skill instructs users to globally install an external package using 'bun install -g https://github.com/tobi/qmd'. This downloads and executes code from an external repository, which introduces supply chain risk if the external repository is compromised.

LOW Dependency on External Tool -20

The skill's functionality depends entirely on an external tool (qmd) that must be installed separately. Users must trust the security of the external dependency.