enable-semantic-search
Fail
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill performs a global installation of the
qmdtool directly from an unverified GitHub repository (github:tobi/qmd). Installing and running code from personal repositories allows for arbitrary code execution with the user's system privileges. - [COMMAND_EXECUTION]: The skill executes local JavaScript files (
scan-vault.cjsandcheck-availability.cjs) assumed to exist within the user's vault. These scripts are not part of the skill's distributed code, making their behavior unverifiable. Additionally, the skill modifies sensitive configuration files like~/.claude.jsonto register MCP servers. - [EXTERNAL_DOWNLOADS]: The skill downloads and executes the Bun runtime installer from a remote source (
https://bun.sh/install) via a pipe to bash. While the source is a well-known service, this method is a high-risk operation that bypasses traditional package verification. It also downloads approximately 2GB of AI models from HuggingFace. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its vault scanning feature.
- Ingestion points: Vault files processed by the
scan-vault.cjsscript. - Boundary markers: Absent; the agent treats the scanner's JSON output as trusted data for configuration.
- Capability inventory: Execution of shell commands for tool installation (
bun,brew) and index management (qmd). - Sanitization: Absent; metadata and paths extracted from the vault are interpolated directly into command arguments and configuration files.
Recommendations
- HIGH: Downloads and executes remote code from: https://bun.sh/install - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata