Trust Assessment
levineam/qmd-skill:root received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 2 high, 3 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Unpinned dependency installed from GitHub URL, Tool can read arbitrary files from filesystem.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on March 6, 2026 (commit a2daa499). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned dependency installed from GitHub URL The skill's installation command `bun install -g https://github.com/tobi/qmd` directly installs the `qmd` tool from a GitHub repository without specifying a version, commit hash, or tag. This means that any changes to the default branch of the `tobi/qmd` repository will be pulled during installation. This poses a significant supply chain risk, as a malicious update to the upstream repository could compromise the agent's environment with arbitrary code execution during installation or subsequent use of the `qmd` tool. Pin the dependency to a specific version, commit hash, or tag (e.g., `bun install -g https://github.com/tobi/qmd#v1.2.3` or `bun install -g https://github.com/tobi/qmd#<commit_hash>`) to ensure deterministic and verifiable installations. | LLM | Manifest | |
| HIGH | Tool can read arbitrary files from filesystem The `qmd get` and `qmd multi-get` commands are designed to retrieve the full content of specified files or patterns. If an agent is instructed to use these commands with paths or patterns derived from untrusted input, it could be coerced into reading sensitive files from the filesystem (e.g., `/etc/passwd`, `~/.ssh/id_rsa`). This capability, while core to the tool's function, presents a significant data exfiltration risk if not carefully controlled by the agent. The agent should implement strict validation and sanitization of all file paths and patterns provided to `qmd get` and `qmd multi-get` commands, ensuring they only target intended, non-sensitive directories or files. Consider sandboxing the `qmd` process if possible. | LLM | SKILL.md:79 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | SKILL.md:23 | |
| MEDIUM | CLI tool arguments vulnerable to command injection if not sanitized The `qmd` skill exposes several commands (`qmd search`, `qmd collection add`, `qmd get`, `qmd multi-get`) that take user-provided string arguments (e.g., search queries, file paths). If the agent constructs shell commands by directly concatenating untrusted user input into these arguments without proper sanitization or escaping, it could lead to command injection. For example, an attacker could craft a query like `"foo; rm -rf /"` to execute arbitrary commands on the host system. This is a common vulnerability when interacting with external CLI tools via shell. The agent implementation should use safe methods for executing external commands, such as `subprocess.run()` with a list of arguments (e.g., `subprocess.run(["qmd", "search", user_query])`) instead of `shell=True` or string interpolation, and ensure all user-provided inputs are properly escaped or validated. | LLM | SKILL.md:58 | |
| MEDIUM | Global installation grants broad system access The `bun install -g` command installs the `qmd` tool globally, granting it broad system-wide execution permissions. Furthermore, the `qmd` tool is designed to index and retrieve content from local filesystems, implying extensive read access to user-specified directories and potentially arbitrary file paths via commands like `qmd get`. While necessary for its function, this level of access, especially when installed globally, presents a higher risk profile if the tool itself or its usage by the agent is compromised. Consider if global installation is strictly necessary. If possible, install the tool in a more confined environment (e.g., a virtual environment or user-local directory). Implement strict input validation and access control within the agent to limit the paths `qmd get` can access. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/485a36044617ccd3)
Powered by SkillShield