Back to skill
Skillv0.1.0
VirusTotal security
Qmd · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:14 AM
- Hash
- e9b7587e517c88fa2b4d37de0511b82255959520b42f2bfa849b01701fab7651
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: qmd-skill-4 Version: 0.1.0 The skill instructs the agent to install the `qmd` tool globally from an external GitHub repository (`https://github.com/tobi/qmd`) via `bun install -g` in `SKILL.md`. While this action is necessary for the skill's stated purpose, it introduces a supply chain vulnerability, as the integrity of the external repository is not guaranteed and could be compromised to deliver malicious payloads. The skill also involves extensive local file system interaction and shell command execution, which are powerful capabilities that, while plausible for a local search tool, could be misused if the agent were prompted to do so.
- External report
- View on VirusTotal