ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

QMD - Quick Markdown Search

v1.0.0

Local hybrid search for markdown notes and docs. Use when searching notes, finding related content, or retrieving documents from indexed collections.

0· 2.3k·8 current·9 all-time
by@emcmillan80
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The SKILL.md describes a local markdown search tool that runs the qmd binary and may load local LLM models; that aligns with the stated purpose. However, the registry metadata for this skill lists no required binaries or env vars while the SKILL.md requires Bun and the qmd binary (and includes a bun install command). This mismatch is likely just an authoring gap but is worth noting.
Instruction Scope
Runtime instructions are narrowly scoped to installing/using qmd, adding collections, running search/embed/update commands, and optionally scheduling cron jobs. The skill instructs indexing local files and storing models/cache under ~/.cache/qmd/models (or XDG_CACHE_HOME). There are no instructions to read unrelated system config or exfiltrate secrets.
Install Mechanism
There is no install spec in the registry, but SKILL.md includes an install step using 'bun install -g https://github.com/tobi/qmd' (GitHub). Installing via Bun from a GitHub repo is common but should be treated as a network install from third-party code; model downloads at first run are also expected. This is moderate-risk compared with purely instruction-only skills but coherent for the tool's function.
Credentials
The skill does not request credentials or sensitive environment variables. It asks the user to ensure Bun is on PATH and notes where models/cache are stored. These are proportionate to a local search/indexing tool.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It suggests optional cron scheduling for index updates, but does not demand permanent elevated presence or modify other skills' configs. Autonomous invocation is allowed (platform default) but not combined with other high-risk indicators here.
Assessment
This skill appears to be a legitimate local markdown search helper that relies on the external 'qmd' binary and (optionally) local LLM models. Before installing, verify the upstream GitHub repo (https://github.com/tobi/qmd) so you know what code will be installed. Be aware that: (1) the first run can auto-download GGUF models into ~/.cache/qmd/models (large files and network activity), (2) installation uses 'bun install -g' which adds third-party code to your system, and (3) scheduling index/embedding jobs (cron or agent scheduler) will run qmd commands regularly against files you index. If you need stricter control, run qmd in a sandbox or VM, inspect the repository you install from, and confirm model download sources and network endpoints before allowing automatic downloads.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cv60txxe6smcf3v4fpncxv1804yzz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
OSmacOS · Linux
Binsqmd

Comments