qmd
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructions and metadata require installing an external CLI tool from 'https://github.com/tobi/qmd', which is not a trusted source. The tool also automatically downloads GGUF models from external sources during its first run.
- COMMAND_EXECUTION (MEDIUM): The skill uses 'child_process.execSync' to run system commands. Although it uses a 'sanitizeShellArg' function with a restrictive character whitelist to prevent shell escape, the direct execution of shell commands based on user-provided strings is a sensitive capability.
- PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection because it processes untrusted local markdown files. 1. Ingestion points: Markdown content retrieved from 'qmd search' and 'qmd get' operations in index.ts. 2. Boundary markers: Absent; the agent receives the raw content of the markdown files without delimiters or instructions to ignore embedded commands. 3. Capability inventory: The skill has the ability to execute shell commands via 'execSync'. 4. Sanitization: No sanitization or filtering is performed on the file content before it is interpolated into the agent's context.
Audit Metadata