qmd
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (HIGH): The skill's setup instructions direct the agent to install a global binary from an untrusted GitHub repository (
bun install -g https://github.com/tobi/qmd). This source is not within the defined trust scope, and the binary is subsequently executed with access to the user's local file system. - [Indirect Prompt Injection] (HIGH): This skill is designed to search and retrieve snippets from external markdown collections (e.g., Obsidian vaults). It lacks explicit boundary markers or sanitization logic when presenting these snippets to the agent.
- Ingestion points: Markdown files within indexed collections (SKILL.md).
- Boundary markers: None identified in the workflow for handling search results.
- Capability inventory: Execution of subprocess commands (
qmd) and file reading via a 'Read tool'. - Sanitization: No instructions provided to sanitize or ignore embedded prompts in retrieved text.
- [Command Execution] (MEDIUM): The skill relies on executing shell commands (
qmd search,qmd vsearch) based on user-provided arguments. While intended for search queries, this interface provides a path for potential command injection if the underlying binary does not safely handle shell characters.
Recommendations
- AI detected serious security threats
Audit Metadata