Trust Assessment
qmd received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned dependency installed from GitHub URL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 96634da3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned dependency installed from GitHub URL The skill explicitly instructs the installation of the `qmd` CLI tool directly from `https://github.com/tobi/qmd` without specifying a version or commit hash. This means the skill will always install the latest version from the default branch, making it vulnerable to upstream changes. If the `tobi/qmd` repository is compromised or a malicious change is introduced, the skill would automatically install and use the compromised version, posing a significant supply chain risk. Pin the dependency to a specific version or commit hash (e.g., `bun install -g https://github.com/tobi/qmd#v1.1.1` or `bun install -g https://github.com/tobi/qmd#<commit_hash>`) to ensure consistent and verifiable installations. Consider using a package registry with integrity checks. | Static | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/a37c5e3a685e2ff3)
Powered by SkillShield