Back to skill
Skillv1.0.0
VirusTotal security
Qmd Memory 1.0.0 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:55 AM
- Hash
- 0e3c2913edf126167b07cf2b594eaa95d47c56f38583e01eac11c902af7340e4
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: qmd-memory-1-0-0 Version: 1.0.0 The skill installs a global npm package (`@tobilu/qmd`) via `npm install -g` in `scripts/setup.sh`, which introduces a supply chain risk. It also instructs the OpenClaw agent to set up a nightly cron job for index updates in `SKILL.md` and starts a daemonized local HTTP server for multi-agent memory sharing in `scripts/serve.sh`. While these actions provide persistence and network capabilities, they are aligned with the stated purpose of a local memory skill and do not show clear intent of malicious behavior like data exfiltration or unauthorized remote control, classifying it as suspicious rather than malicious.
- External report
- View on VirusTotal