qmd
Warn
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill instructions direct the agent to fetch and execute a setup script for Node.js using 'curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -'. While NodeSource is a well-known provider, piping remote scripts to a shell with elevated privileges is a significant security risk.
- [EXTERNAL_DOWNLOADS]: The skill performs global installation of the '@tobilu/qmd' package from the NPM registry and automatically downloads approximately 2GB of GGUF model files from external sources during the first run.
- [PRIVILEGE_ESCALATION]: Setup instructions require 'sudo' permissions for package manager operations and system-wide Node.js configuration.
- [PERSISTENCE_MECHANISMS]: The skill provides automated methods for establishing persistence on macOS (via launchd plists in '
/Library/LaunchAgents/') and Linux (via systemd user services in '/.config/systemd/user/') to maintain a background HTTP daemon process. - [INDIRECT_PROMPT_INJECTION]: The skill establishes a vulnerability surface for indirect prompt injection as it indexes and retrieves content from untrusted local documents and meeting transcripts.
- Ingestion points: External document collections added via 'qmd collection add'.
- Boundary markers: None; the skill does not specify delimiters or warnings to ignore instructions within retrieved documents.
- Capability inventory: The agent can execute terminal commands and read full document content through 'qmd get'.
- Sanitization: No sanitization or validation of the retrieved content is mentioned before it is processed by the agent.
Audit Metadata