qmd-knowledge
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Instructs the user to install the qmd tool from a third-party GitHub repository (https://github.com/tobi/qmd) to enable search and embedding capabilities.
- [COMMAND_EXECUTION]: The record.sh script executes shell commands including git for project detection, mkdir for directory structure management, and qmd for index updates.
- [PROMPT_INJECTION]: An indirect prompt injection surface is present as the agent is instructed to query a knowledge base populated by user-provided content. 1. Ingestion points: Data entered via the record.sh script is stored as markdown in ~/.ai-knowledges/ (scripts/record.sh). 2. Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the stored knowledge files. 3. Capability inventory: The skill uses qmd search and query tools to retrieve context for the agent (SKILL.md). 4. Sanitization: The skill implements path traversal validation using directory comparison and safe slugification for filenames to protect the local file system.
Audit Metadata