memfs-search
Warn
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation and scripts (SKILL.md and references/qmd-setup.md) instruct the user or agent to install the '@tobilu/qmd' package from the NPM registry. This is a third-party dependency from an unverified source.
- [REMOTE_CODE_EXECUTION]: During the setup phase, the 'qmd embed' command downloads approximately 2GB of GGUF model files from Hugging Face (e.g., Qwen3-Embedding). These binary models are executed locally by the unverified 'qmd' utility to process agent memory.
- [COMMAND_EXECUTION]: The 'scripts/memfs-search.sh' bash script acts as a wrapper that forwards all command-line arguments ($@) directly to the 'qmd' binary. This pattern can facilitate argument injection if the underlying tool's CLI parser handles certain flags unsafely.
- [PROMPT_INJECTION]:
- Ingestion points: The skill recursively indexes all markdown files within the $MEMORY_DIR directory (via 'qmd collection add').
- Boundary markers: Search results returned to the agent lack explicit delimiters or instructions to treat the retrieved content as untrusted.
- Capability inventory: The agent relies on this skill to find and load 'reference materials' and 'memory blocks', which are then incorporated into the agent's context for decision-making.
- Sanitization: No sanitization or filtering of the indexed content is performed, creating a surface for indirect prompt injection if malicious instructions are placed in a memory file.
- [CREDENTIALS_UNSAFE]: While no secrets are hardcoded, the skill is designed to index the entire memory directory, which may inadvertently contain sensitive configuration files or environment variables if the user stores them there.
Audit Metadata