Scan Report
15 /100
miliger-qmd-manager
统一的QMD知识库管理技能,集成官方qmd搜索功能
This QMD knowledge management skill uses safe execFile patterns but has minor documentation gaps regarding shell command execution.
Safe to install
Add explicit declaration of qmd CLI execution in SKILL.md capabilities section. Otherwise, the implementation follows security best practices.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Shell execution not declared in SKILL.md Doc Mismatch | index.js:67 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | READ | ✓ Aligned | Only reads knowledge base via qmd CLI |
| Shell | NONE | WRITE | ✗ Violation | Uses execFile to execute qmd CLI commands (index.js:67) |
| Network | NONE | NONE | — | No network activity detected |
| Environment | NONE | NONE | — | Does not access environment variables |
1 findings
Medium External URL 外部 URL
https://clawhub.com/skills/miliger-qmd-manager README.md:55 File Tree
4 files · 12.9 KB · 499 lines Markdown 2f · 287L
JavaScript 1f · 179L
JSON 1f · 33L
├─
index.js
JavaScript
├─
package.json
JSON
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
child_process | builtin | node | No | Standard library only |
path | builtin | node | No | Standard library only |
Security Positives
✓ Uses execFile instead of exec, avoiding shell injection vulnerabilities
✓ No external network requests or data exfiltration
✓ No credential harvesting or sensitive data access
✓ No base64 encoding or obfuscation detected
✓ No dependency on external packages (only uses Node.js built-ins)
✓ Predefined command whitelist: search, query, vsearch, status, get, collection
✓ User input passed as arguments (not concatenated into shell strings)