Skillv1.0.0

ClawScan security

QMD Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 8:42 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what its description promises (local QMD-based memory), but there are a few inconsistencies and privacy/installation risks you should understand before installing.
Guidance: This skill appears to implement a local QMD-based memory integration, but check these items before installing: 1) Confirm the upstream source/repository and review the npm package @tobilu/qmd (the setup script installs it globally). 2) Understand that setup will scan and index your workspace (OPENCLAW_WORKSPACE or ~/.openclaw/workspace) — review your workspace for any files you don't want indexed (API keys, credentials, private notes) or run setup in a safe/test workspace first. 3) The skill auto-downloads ~2GB of models via QMD — ensure you have disk space and bandwidth, and verify where models come from. 4) There is a manifest inconsistency: skill.json references scripts/add-collection.sh which is missing — ask the author or inspect the package you install. 5) The serve command launches an HTTP MCP server; verify it binds only to localhost and secure access if you enable multi-agent sharing. 6) Prefer running the setup script contents manually (or inspect it line-by-line) rather than blindly executing as root. If you cannot verify the upstream repo or package code, treat installation as higher risk.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (local QMD memory to reduce API spend) aligns with the included scripts and SKILL.md: setup installs QMD via npm, creates collections from your workspace, runs qmd update/embed, and can start an MCP server. However skill.json references a script (scripts/add-collection.sh) that is not present in the file manifest — this is an incoherence. The skill also declares no required env vars but relies on OPENCLAW_WORKSPACE if present.
Instruction Scope: concernSKILL.md and scripts scan and index files under your workspace (default ~/.openclaw/workspace or OPENCLAW_WORKSPACE). Indexing 'workspace' is expected for a memory tool but can capture sensitive files (agent config, tokens, snippets containing credentials). The setup script will add collections for any matching directories and runs qmd embed (which processes local files). SKILL.md also shows a cron example for nightly updates, but the scripts do not actually install cron jobs — that's a documentation mismatch.
Install Mechanism: noteThere is no package-level install spec; instead the setup script runs 'npm install -g @tobilu/qmd' at runtime. Installing a global npm package is common but downloads and runs third-party code (and that package will perform model downloads). The models (~2GB) are auto-downloaded by QMD from unspecified hosts. This is a moderate install risk because network downloads occur at setup time and code is fetched from the npm registry rather than a pinned, auditable release included in the skill bundle.
Credentials: concernThe skill declares no required env vars or credentials, which is appropriate, but the setup script reads OPENCLAW_WORKSPACE (undeclared) and will scan that path and create collections. That means the skill may read and index any files under your workspace (including secrets stored in docs or config). It does not request external API keys (good), but the behavior of indexing arbitrary workspace files is a privacy risk and should be intentional and visible to the user.
Persistence & Privilege: okalways:false and default autonomous invocation are normal. The skill does not request permanent platform-level privileges or modify other skills. It can start a local MCP HTTP server (qmd mcp --http --daemon) which may accept connections; the script claims localhost:8181 but does not explicitly bind/address-check. The skill also writes to ~/.cache/qmd (models, index, pid) — expected for a local search tool.