qmd
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of a global CLI tool directly from an unverified GitHub repository (https://github.com/tobi/qmd) using 'bun install -g'. This source is not recognized as a trusted organization or well-known service.
- [COMMAND_EXECUTION]: The skill implements a persistence mechanism by suggesting the addition of an auto-refresh script to the SessionStart hook in ~/.claude/settings.json. This ensures the external tool executes every time a new agent session is initialized.
- [COMMAND_EXECUTION]: The 'qmd update --pull' command allows the tool to dynamically fetch and apply updates from the remote repository, bypassing standard package management controls.
- [PROMPT_INJECTION]: The tool performs full-text and vector searches over local conversation histories and documentation. This creates a surface for indirect prompt injection, as malicious instructions stored in historical data could be retrieved and processed by the AI agent without proper sanitization or boundary markers.
Recommendations
- AI detected serious security threats
Audit Metadata