Skills
skills/jellydn/my-ai-tools/qmd-knowledge/Gen Agent Trust Hub

qmd-knowledge

Warn

Audited by Gen Agent Trust Hub on Mar 12, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of the 'qmd' tool from a non-trusted GitHub user account.
  • Evidence: SKILL.md directs users to run bun install -g https://github.com/tobi/qmd.
  • Context: Installing software from individual, unverified repositories increases the risk of supply chain attacks.
  • [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by recording user-supplied content that is later retrieved and processed by the AI.
  • Ingestion points: scripts/record.sh takes user input for 'learning', 'issue', and 'note' types and writes them to markdown files in ~/.ai-knowledges/.
  • Boundary markers: Data is stored as raw markdown without structural delimiters or system instructions to the agent to disregard embedded commands during retrieval.
  • Capability inventory: The agent is instructed in SKILL.md to use qmd search and qmd query to read these files, creating a loop where malicious instructions stored in notes could be executed in future sessions.
  • Sanitization: No sanitization or safety filtering is applied to the input content before it is committed to the knowledge base.
  • [COMMAND_EXECUTION]: The skill's recording script executes shell commands and an external binary.
  • Evidence: scripts/record.sh executes qmd embed, qmd collection, and git commands to manage the knowledge base index and project context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 12, 2026, 01:33 AM