Qmd Skill Main
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: qmd-skill-main Version: 1.0.0 The skill bundle is classified as benign. All instructions in SKILL.md, including the installation command `bun install -g https://github.com/tobi/qmd` and subsequent usage examples, are directly aligned with the stated purpose of providing local hybrid search for markdown notes using the 'qmd' tool. There is no evidence of intentional harmful behavior such as data exfiltration, unauthorized execution of arbitrary code, persistence mechanisms for malicious payloads, or prompt injection attempts designed to subvert the agent's core function or access unrelated sensitive data. The cron examples provided are for maintaining the tool's index, not for malicious persistence.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using semantic search may fetch package/model assets outside the reviewed skill files.
The skill relies on installing qmd from an external GitHub source and downloading model assets on first run; this is disclosed and relevant to the purpose, but the artifacts do not pin versions or checksums.
`bun install -g https://github.com/tobi/qmd` ... `Uses local GGUF models; first run auto-downloads them.`
Install only if you trust the qmd source, prefer pinned releases or checksums if available, and review the qmd project separately before relying on it for sensitive collections.
Private notes or documents in indexed folders may be retrieved and used by the agent, including full documents when requested or needed.
The skill creates searchable local collections and embeddings from Markdown files and can return full document contents to the agent context.
`qmd collection add /path/to/notes --name notes --mask "**/*.md"` ... `qmd embed` ... `--full`: return full document content
Index only folders you intend the agent to search, avoid secrets or overly broad home-directory collections, and treat retrieved Markdown as untrusted context rather than authoritative instructions.
If enabled, indexing can continue in the background and include new or changed Markdown files from configured collections.
The skill suggests optional recurring cron or scheduler commands that continue updating indexes after initial setup.
`Automate indexing so results stay current` ... `0 * * * * ... qmd update` ... `0 5 * * * ... qmd embed`
Use scheduled indexing only if you want ongoing updates, keep collection paths narrow, and review or remove cron/scheduler entries when no longer needed.