Is lifecoacher/qmd-skill-2 safe?

https://github.com/openclaw/skills/tree/main/skills/lifecoacher/qmd-skill-2

87
SAFE

The qmd skill is a well-structured documentation wrapper for a local markdown search CLI tool with no prompt injection, no hardcoded exfiltration paths, and clean canary integrity. The primary risk is a supply-chain concern: the install command fetches code directly from a GitHub URL without registry-level integrity verification, and the installed binary performs unaudited model downloads at runtime. The skill itself poses no direct threat to user data.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 97/100 · 10%
Behavioral Reasoning 83/100 · 5%

Findings (6)

MEDIUM Install fetches code directly from GitHub URL, bypassing package registry -28

The install command bun install -g https://github.com/tobi/qmd installs a bun/npm package directly from a GitHub repository rather than from a verified registry (e.g., npmjs.com). This means there is no registry-level signature verification, no version pinning by hash, and no immutability guarantee. A compromised or typosquatted GitHub repo could silently deliver malicious code.

LOW Runtime model auto-download introduces unaudited second-stage fetch -5

SKILL.md documents that qmd vsearch and qmd query auto-download local GGUF models on first run. The download source and integrity verification for these models are opaque from the skill audit perspective. This is a deferred code-fetch surface that occurs during normal agent operation, not at install time.

LOW openclaw-gateway establishes new persistent TCP connections post-install -12

After skill installation, the connection diff shows openclaw-gateway (pid=1083) holds two ESTABLISHED connections to 3.217.42.175:443 (AWS) and new LISTEN sockets on 127.0.0.1:18790 and 127.0.0.1:18793. These are infrastructure connections, not from the skill, but confirm the agent runtime has active external channels that could carry data.

LOW Cron scheduling examples could persist background index processes -10

SKILL.md includes cron example snippets that, if the agent follows them literally, would install system-level cron jobs running qmd update and qmd embed hourly/nightly. While benign in content, this establishes persistent scheduled execution and PATH manipulation (export PATH=$HOME/.bun/bin:$PATH) outside the agent session lifecycle.

INFO Lock file contains unrelated skill reference (metadata hygiene) -3

.clawhub/lock.json references academic-research-hub skill, indicating the developer shipped their personal workspace lock file. No security impact, but suggests the skill was not prepared from a clean environment.

INFO Sensitive file paths appeared in auditd PATH log — attributed to audit harness -3

Auditd PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials being opened at session start (1771936320) and end (1771936342). Timing analysis confirms these are audit framework pre/post baseline passes. Canary integrity check confirmed no modification or exfiltration.