Safety Report

Qmd 1.0.0

Name: Qmd 1.0.0
Rating: 5 (2 reviews)
Author: instant-picture

@instant-picture

Local search/indexing CLI (BM25 + vectors + rerank) with MCP mode.

1,384Downloads

8Installs

2Stars

1Versions

Search & Retrieval2,116 CLI & Shell Tools1,805

Security Analysis

medium confidence

Clean0.12 risk

The skill is internally consistent: it wraps a local search/indexing CLI (qmd), the install and runtime notes match the described purpose, but it references an embedding backend (OLLAMA_URL) and writes an index to ~/.cache/qmd so you should review where data may be sent and what gets indexed before installing.

Feb 11, 20261 files3 concerns

Purpose & Capabilityok

Name/description match the runtime instructions and required binary: the skill expects a 'qmd' CLI and its commands (index, search, mcp) align with the stated local search/indexing purpose. The declared install produces the 'qmd' binary from the linked GitHub repo, which is appropriate for the stated capability.

Instruction Scopenote

SKILL.md only instructs the agent to run qmd commands (add collection, update, search, get). It documents where the index lives (~/.cache/qmd) and that embeddings/rerank use OLLAMA_URL (default http://localhost:11434). This is in-scope for a search tool, but it means indexed file contents may be sent to whatever OLLAMA_URL is set to; the SKILL.md mentions the env var but the skill does not declare it in requires.env.

Install Mechanismnote

Install is a node package pointing to a GitHub repo (https://github.com/tobi/qmd). Using a GitHub URL is common and lower risk than arbitrary downloads, but it is less vetted than an official registry release; you should inspect the repository release/packaging before installing.

Credentialsnote

The skill declares no required environment variables, which is reasonable. However SKILL.md references OLLAMA_URL for embeddings/rerank (defaulting to localhost). That env var is relevant to the functionality but is not declared as required; if OLLAMA_URL points to a remote service, document contents could be transmitted off-host — this is a configuration/privacy consideration rather than an incoherence.

Persistence & Privilegeok

The skill does not request persistent platform privileges (always:false) and does not declare modifications to other skills or system-wide config. It does create and use a local index (~/.cache/qmd), which is expected for this tool and should be treated as potentially sensitive data.

Guidance

This skill appears to do what it says: it runs the qmd CLI to index and search local files. Before installing or using it: 1) Inspect the GitHub repository (https://github.com/tobi/qmd) or package contents to verify there is no unexpected behavior in the qmd binary. 2) Be deliberate about which directories you index — do not point it at sensitive system or credential directories. 3) Note the index is stored in ~/.cache/qmd; consider its permissions and clean-up policy. 4) Embeddings/rerank use OLLAMA_URL (default localhost:11434). Ensure OLLAMA_URL is set to a trusted local service — if you point it to a remote endpoint you may transmit document contents off-host. 5) Prefer running the tool in a sandbox or non-privileged account until you are comfortable with its behavior.

Latest Release

v1.0.0

Initial release of qmd: a local search and indexing CLI tool. - Supports file indexing with collection management and update commands. - Provides search with BM25, vector, and hybrid (rerank) modes. - Integrates with Ollama for embedding and rerank functionality. - Includes MCP mode for additional functionality. - Default index storage at ~/.cache/qmd.

Popular Skills

Instantly

@instantly · 4 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Published by @instant-picture on ClawHub