ClawHub

Qmd

Local search/indexing CLI (BM25 + vectors + rerank) with MCP mode.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
88 · 24.3k · 310 current installs · 325 all-time installs
byPeter Steinberger@steipete
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md describes a local CLI (qmd) for indexing/search and the metadata asks for the qmd binary and provides a node-based install from a GitHub repo—this is generally coherent. However the instructions reference an environment variable (OLLAMA_URL) for embeddings/rerank but the skill declares no required env vars; that mismatch should be clarified.
Instruction Scope
Runtime instructions are limited to executing qmd commands (index/update/search/get/mcp) and note index location (~/.cache/qmd). They do not instruct broad system access or exfiltration in themselves. They do rely on the qmd binary performing file IO and contacting an embeddings service (Ollama).
Install Mechanism
The embedded metadata suggests installing a node package from a GitHub URL (https://github.com/tobi/qmd). Pulling code from a GitHub repo is common but still executes third-party code on install — moderate risk compared to using a vetted package registry or release artifact. The SKILL.md itself contains no code, so the install step would create the runtime footprint.
!
Credentials
The instructions reference OLLAMA_URL (default http://localhost:11434) for embeddings/rerank but the skill lists no required environment variables. That omission hides a meaningful external dependency. If a user sets OLLAMA_URL to a remote host, document/text sent for embeddings could be transmitted off-box. No credentials are requested by the skill, but the potential for data to be sent to an external Ollama endpoint is a proportionality/privacy concern that should be explicit.
Persistence & Privilege
The skill does not request always:true, does not list config paths, and is user-invocable only. There is no evidence it attempts to modify other skills or gain permanent elevated presence.
What to consider before installing
Before installing: 1) Verify the upstream repository (https://github.com/tobi/qmd) — review its code, releases, and maintainer — because the install pulls code from GitHub. 2) Note that embeddings/rerank use Ollama and the SKILL.md references OLLAMA_URL but doesn't declare it; ensure OLLAMA_URL is set to a trusted local instance (or leave as default) otherwise your indexed content could be sent to a remote endpoint. 3) If you need higher assurance, run qmd in an isolated environment (container, VM) and inspect what network connections it makes during indexing/search. 4) Ask the skill author to explicitly declare required env vars (OLLAMA_URL) and to point to a specific release artifact or package registry to reduce install risk. These steps will increase confidence in the skill's safety.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk978q7m1gvbjc5mzk5qja21mx17yjmyz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
Binsqmd

Install

Install qmd (node)
Bins: qmd
npm i -g https://github.com/tobi/qmd

SKILL.md

qmd

Use qmd to index local files and search them.

Indexing

  • Add collection: qmd collection add /path --name docs --mask "**/*.md"
  • Update index: qmd update
  • Status: qmd status

Search

  • BM25: qmd search "query"
  • Vector: qmd vsearch "query"
  • Hybrid: qmd query "query"
  • Get doc: qmd get docs/path.md:10 -l 40

Notes

  • Embeddings/rerank use Ollama at OLLAMA_URL (default http://localhost:11434).
  • Index lives under ~/.cache/qmd by default.
  • MCP mode: qmd mcp.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…