Trust Assessment
qmd received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned dependency installed from GitHub URL.
The analysis covered 4 layers: llm_behavioral_safety, manifest_analysis, static_code_analysis, dependency_graph. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 96634da3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned dependency installed from GitHub URL The skill explicitly instructs the installation of the `qmd` CLI tool directly from `https://github.com/tobi/qmd` without specifying a version or commit hash. This means the skill will always install the latest version from the default branch, making it vulnerable to upstream changes. If the `tobi/qmd` repository is compromised or a malicious change is introduced, the skill would automatically install and use the compromised version, posing a significant supply chain risk. Pin the dependency to a specific version or commit hash (e.g., `bun install -g https://github.com/tobi/qmd#v1.1.1` or `bun install -g https://github.com/tobi/qmd#<commit_hash>`) to ensure consistent and verifiable installations. Consider using a package registry with integrity checks. | Unknown | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/a37c5e3a685e2ff3)
Powered by SkillShield