qmd
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Significant risk of Indirect Prompt Injection (Category 8) because the skill's core function is ingesting untrusted markdown content.
- Ingestion points:
qmd getandqmd queryretrieve file contents and snippets directly into the agent context (SKILL.md). - Boundary markers: Absent; there are no instructions or delimiters to distinguish between data and commands.
- Capability inventory: The agent (Claude Code) has broad shell and file system access.
- Sanitization: None; retrieved text is processed as raw input.
- [EXTERNAL_DOWNLOADS] (MEDIUM): Requires manual installation of the
qmdCLI from a third-party GitHub repository (tobico/qmd). This source is not on the trusted list and requires independent verification. - [COMMAND_EXECUTION] (LOW): Orchestrates local CLI execution to perform searches. While legitimate, this provides a pathway for command-related exploits if the search queries are manipulated.
Recommendations
- AI detected serious security threats
Audit Metadata