Trust Assessment
qmd received a trust score of 69/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 3 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Unpinned Dependency in Installation Command, Potential Command Injection via User Input to CLI Tool.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Excessive Filesystem Read Permissions via 'qmd get' The `qmd get "path/to/file.md"` command, as described in the skill, allows the retrieval of any file on the filesystem by its absolute or relative path. This capability is not restricted to files within explicitly indexed collections. This grants the skill, and by extension the agent, broad read access to the local filesystem, posing a significant data exfiltration risk if an attacker can control the path argument provided to the agent. Restrict the `qmd get` command to only retrieve files from explicitly indexed collections, or implement strict path validation and sandboxing within the `qmd` tool to prevent access to sensitive system files. The agent should also be extremely cautious about paths provided by untrusted input when using this command. | LLM | SKILL.md:95 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/pmaeter/qmd-skill-main/SKILL.md:23 | |
| MEDIUM | Unpinned Dependency in Installation Command The skill's installation command `bun install -g https://github.com/tobi/qmd` pulls the `qmd` tool directly from a GitHub repository's default branch without specifying a fixed version (commit hash or tag). This makes the installation vulnerable to supply chain attacks if the upstream repository is compromised, as malicious code could be introduced and automatically pulled in subsequent installations. Pin the installation to a specific commit hash or tag, e.g., `bun install -g https://github.com/tobi/qmd#v1.2.3` or `bun install -g https://github.com/tobi/qmd#<commit_hash>`. | LLM | SKILL.md:49 | |
| MEDIUM | Potential Command Injection via User Input to CLI Tool The skill describes interacting with the `qmd` command-line tool where user-provided strings (e.g., 'query' in `qmd search "query"`) are passed as arguments. If the agent directly substitutes untrusted user input into these commands without proper escaping, or if the `qmd` tool itself does not sanitize its arguments against shell metacharacters, it could lead to arbitrary command execution on the host system. This is a common risk when wrapping command-line tools. The agent using this skill must sanitize and properly escape all user-provided input before constructing and executing `qmd` commands. Additionally, the `qmd` tool itself should robustly handle and sanitize its arguments to prevent shell injection. | LLM | SKILL.md:80 |
Scan History
Embed Code
[](https://skillshield.io/report/d62a01c465bd5a23)
Powered by SkillShield