Qmd
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: qmd Version: 1.0.0 The skill bundle defines a local search/indexing CLI tool. The `SKILL.md` provides installation instructions for `qmd` from a seemingly legitimate GitHub repository (`https://github.com/tobi/qmd`) and outlines local CLI usage. There is no evidence of data exfiltration, malicious execution instructions, persistence mechanisms, prompt injection attempts, or obfuscation. All described operations are local and aligned with the stated purpose of a search/indexing tool.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Files added to Qmd collections may remain searchable through the local index after indexing.
The skill intentionally creates a persistent local index of selected files, which may include sensitive or stale content if the user indexes broad directories.
Use `qmd` to index local files and search them. ... Index lives under `~/.cache/qmd` by default.
Index only intended directories, use narrow masks, avoid secrets or broad home-directory indexing, and manage or clear the ~/.cache/qmd data when no longer needed.
If connected to an untrusted MCP client or a non-local Ollama endpoint, indexed content or search queries could be exposed outside the intended local workflow.
The skill discloses integration points that can process indexed content or expose search through MCP; the artifact does not describe additional access controls or client boundaries.
Embeddings/rerank use Ollama at `OLLAMA_URL` (default `http://localhost:11434`). ... MCP mode: `qmd mcp`.
Use MCP mode only with trusted clients, keep OLLAMA_URL local unless you intentionally trust a remote endpoint, and limit indexed collections accordingly.
Installing the skill depends on trusting the external qmd package source.
The install path fetches the runnable qmd package from an external GitHub repository, while the provided artifact set does not include implementation files.
node | package: https://github.com/tobi/qmd | creates binaries: qmd
Review or trust the GitHub repository before installing, and prefer pinned or verified versions when available.