qmd
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- Persistence Mechanisms (HIGH): The skill documentation includes specific cron job configurations for scheduled execution of shell commands ('qmd update', 'qmd embed'). This is a known technique for maintaining persistence on a host system.\n- Unverifiable Dependencies (MEDIUM): The skill performs a global installation of a binary from a non-trusted third-party GitHub repository (https://github.com/tobi/qmd) using 'bun install -g'.\n- Command Execution (MEDIUM): The skill relies on executing various shell commands that interact with the local file system and execute downloaded code.\n- Indirect Prompt Injection (LOW): The skill retrieves content from markdown files which could contain malicious instructions designed to influence the agent's behavior.\n
- Ingestion points: file content retrieval via 'qmd get' and 'qmd search --full' in SKILL.md.\n
- Boundary markers: Absent.\n
- Capability inventory: shell command execution via the 'qmd' binary.\n
- Sanitization: Absent.
Recommendations
- AI detected serious security threats
Audit Metadata