qmd Search
v1.1.0Fast local search for markdown files, notes, and docs using qmd CLI. Use instead of `find` for file discovery. Combines BM25 full-text search, vector semantic search, and LLM reranking—all running locally. Use when searching for files, finding code, locating documentation, or discovering content in indexed collections.
⭐ 1· 3.3k·17 current·17 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly expects the qmd CLI and local model runtimes (embeddinggemma-300M, qwen3-reranker-0.6b, Qwen3-0.6B). However, the registry metadata declares no required binaries, no install instructions, and no homepage/source. A user installing this skill would legitimately need qmd and model runtime support, so the omission is an incoherence that should be explained by the publisher.
Instruction Scope
The runtime instructions stay within the stated purpose (searching/indexing local files and returning snippets). They do imply the agent will read files in user-specified collections (expected for a search tool). The document also mentions 'models (auto-downloaded)' — the instructions do not specify where these downloads come from or whether they require network access or extra permissions.
Install Mechanism
There is no install spec (instruction-only), which is low-risk generally, but the SKILL.md claims models are auto-downloaded and run locally. The skill does not document the source of those model downloads (no URLs, releases, or registries). Unspecified automatic downloads of large model binaries increase risk (arbitrary network fetch & disk writes) and should be documented.
Credentials
The skill declares no required environment variables, credentials, or config paths and the instructions do not reference any secrets or unrelated env vars. That absence is proportionate to the stated purpose.
Persistence & Privilege
The skill is not marked 'always' and does not request persistent system privileges. As an instruction-only skill it does not modify other skills' configs or demand elevated privileges.
What to consider before installing
Before installing, verify these things with the publisher: (1) Confirm whether the qmd CLI is required and provide explicit 'required binaries' metadata (the SKILL.md assumes qmd is present). (2) Document install steps or a trusted source for the qmd binary and for the models (where the 'auto-downloaded' models come from—e.g., official releases, Hugging Face, or a vendor mirror). Unspecified model downloads can pull large binaries from arbitrary hosts and consume disk/network; ask how downloads are authenticated and where they are stored. (3) Understand which directories the skill will index and ensure you are comfortable granting the agent read access to those paths. (4) If you need higher assurance, request a homepage or source repo for the skill so you can inspect install scripts. If the publisher provides a clear install manifest and trusted model sources (or states qmd is preinstalled in your environment), this assessment could be downgraded to benign.Like a lobster shell, security has layers — review code before you run it.
latestvk977fyj1brj3ehkbr3gs3czbps801pkj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.