Back to plugin

Security audit

LUCID Context Engine

Security checks across malware telemetry and agentic risk

Overview

LUCID appears purpose-built for memory retrieval, but it automatically injects broad QMD-indexed workspace content into the model's system prompt, which creates privacy and prompt-injection risks users should review.

Install only if you are comfortable with QMD-indexed workspace content being automatically recalled into model context. Before enabling, restrict what QMD indexes, verify qmdShimPath, avoid using it in highly sensitive sessions, and consider adding untrusted-content guards around retrieved snippets.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/src/search.js:11
Evidence
const child = spawn(process.execPath, [config.qmdShimPath, "search", prompt, "-n", String(n), "--json"], { env: process.env, stdio: ["ignore", "pipe", "pipe"], ...

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/search.ts:37
Evidence
const child = spawn(