Is levineam/qmd-skill safe?

https://github.com/levineam/qmd-skill

79
CAUTION

The qmd-skill is a documentation-only skill (SKILL.md + README.md) that teaches an agent to use the qmd local markdown search tool. It contains no executable code itself, but its install metadata directs global installation of an external package from a different author's GitHub repo via 'bun install -g', which is the primary risk vector. The skill also suggests cron-based persistence and auto-downloads ML models from unspecified sources. No malicious behavior was detected during clone monitoring.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (8)

HIGH Global package install from GitHub URL -30

The skill's install metadata specifies 'bun install -g https://github.com/tobi/qmd' which installs an external package globally. This executes any lifecycle scripts (preinstall/postinstall) in the qmd package with the user's full privileges. The skill repo itself does not contain the qmd code — it delegates trust entirely to an external repository owned by a different author (tobi).

MEDIUM Cron job persistence suggestion -10

The SKILL.md suggests configuring cron jobs for automated qmd update and qmd embed commands. If an agent follows these instructions, it establishes persistent scheduled execution on the host that survives session termination. While presented as a convenience feature, this creates a persistence mechanism.

MEDIUM Auto-download of ML models from unspecified source -10

The skill documents that qmd auto-downloads GGUF model files on first run to ~/.cache/qmd/models/. The source of these models is not specified in the skill documentation, creating a supply-chain risk where model files could be tampered with or the download endpoint could be compromised.

LOW Behavioral directives shape agent search behavior -8

The skill contains opinionated behavioral directives ('Prefer qmd search', 'Avoid qmd query', 'Default behavior (important)') that influence how the agent chooses between search modes. While contextually appropriate, these directives could be modified in a future version to redirect agent behavior in undesirable ways.

LOW Cross-skill interaction surface -5

The skill explicitly references and encourages combined use with Clawdbot's memory_search, creating a cross-skill interaction surface. While benign in current form, this pattern could be exploited if either tool's behavior changes.

LOW Wrapper skill with unclear provenance -15

This skill is authored by 'levineam' but wraps a tool by 'tobi' (https://github.com/tobi/qmd). The indirection means users trust two parties — the skill author and the upstream tool author — but the trust boundary is not clearly delineated.

INFO Filesystem indexing by design -5

The skill instructs the agent to index user directories containing markdown notes and documents. This is the intended functionality but means the qmd tool will have indexed access to potentially sensitive content in the user's notes.

INFO Standard shell initialization file reads during clone -5

Filesystem monitoring shows reads of .env, .aws/credentials, .profile, .bashrc during the clone process. These are consistent with standard shell environment initialization and are not attributable to the skill itself.