qmd-knowledge
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill instructs users to install a package directly from an untrusted third-party GitHub repository (github.com/tobi/qmd) using 'bun install -g', which poses a risk of executing unverified code during the installation process.
- Metadata Poisoning (MEDIUM): There is a discrepancy between the project URL in the license metadata (hjanuschka/pi-qmd) and the installation instructions (tobi/qmd), which is a deceptive pattern that can obscure the source of the code.
- Command Execution (MEDIUM): The tools defined in the skill act as wrappers for a CLI utility that accepts file paths and search patterns, which could potentially be exploited to access files outside the intended directories if not properly sanitized by the underlying tool.
- Indirect Prompt Injection (LOW): The skill ingests untrusted data from markdown files that could contain malicious instructions designed to hijack the agent's logic. 1. Ingestion points: qmd_get, qmd_multi_get, and qmd_query. 2. Boundary markers: Absent. 3. Capability inventory: Local file system access via search and retrieval tools. 4. Sanitization: None documented in the skill profile.
Audit Metadata