Back to skill
Skillv1.0.0
VirusTotal security
QMD Memory · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:46 AM
- Hash
- 52a3b4359b98c36dafd10f2961d2518374fa57747d805e7206abb37459fa6b91
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: qmd-memory Version: 1.0.0 The skill is classified as suspicious primarily due to a prompt injection risk identified in `SKILL.md`. This file explicitly instructs the AI agent to set up a cron job (`0 3 * * * qmd update && qmd embed`) for persistence, which, while performing a benign function (updating the skill's index), demonstrates the capability to instruct the agent to establish system-level persistence. Additionally, the `scripts/setup.sh` script performs a global `npm install -g @tobilu/qmd`, which is a powerful system-level action, though necessary for the skill's functionality. No clear evidence of intentional malicious behavior like data exfiltration or unauthorized remote control was found.
- External report
- View on VirusTotal