The Agent Skills Directory

Remote Code Execution (CRITICAL): The setup/README.md and scripts/doctor.sh files contain the pattern curl -fsSL https://bun.sh/install | bash. This executes unverified remote code with the current user's privileges and is a high-severity security risk.
Indirect Prompt Injection (HIGH): The skill is designed to search and ingest data from external markdown files which may be attacker-controlled.
Ingestion points: Ingests untrusted data via qmd search, qmd vsearch, and qmd query (documented in SKILL.md and references/commands.md).
Boundary markers: No specific delimiters or 'ignore embedded instructions' warnings are implemented to separate retrieved content from system instructions.
Capability inventory: The skill allows the Bash tool, enabling arbitrary command execution based on instructions found in search results.
Sanitization: There is no evidence of sanitization or filtering of the content retrieved from indexed files before it is processed by the agent.
Prompt Injection (HIGH): The skill documentation (setup/README.md) explicitly instructs the agent to adopt an aggressive posture using 'MANDATORY' and 'FORBIDDEN' markers, including the specific directive 'If you answer without running qmd, you have failed.' This is designed to override the agent's internal reasoning and default safety protocols.
Persistence Mechanisms (HIGH): The setup process involves creating a launchd job (~/Library/LaunchAgents/com.qmd-embed.plist) and modifying shell profiles (~/.zshrc). These actions establish persistence, allowing the skill's code to run automatically across sessions.
External Downloads (MEDIUM): The skill installs an unverified package directly from a GitHub repository (bun install -g github:tobi/qmd) without version pinning or integrity validation.

qmd