← Back to Skills Marketplace
QMD Memory
by
asabovetech
· GitHub ↗
· v1.0.0
815
Downloads
1
Stars
10
Active Installs
1
Versions
Install in OpenClaw
/install qmd-memory
Description
Enables local hybrid memory search and embedding using QMD to reduce API costs by $50-300/month with automatic setup, smart indexing, and multi-agent sharing.
Usage Guidance
This skill appears to implement a local QMD-based memory integration, but check these items before installing: 1) Confirm the upstream source/repository and review the npm package @tobilu/qmd (the setup script installs it globally). 2) Understand that setup will scan and index your workspace (OPENCLAW_WORKSPACE or ~/.openclaw/workspace) — review your workspace for any files you don't want indexed (API keys, credentials, private notes) or run setup in a safe/test workspace first. 3) The skill auto-downloads ~2GB of models via QMD — ensure you have disk space and bandwidth, and verify where models come from. 4) There is a manifest inconsistency: skill.json references scripts/add-collection.sh which is missing — ask the author or inspect the package you install. 5) The serve command launches an HTTP MCP server; verify it binds only to localhost and secure access if you enable multi-agent sharing. 6) Prefer running the setup script contents manually (or inspect it line-by-line) rather than blindly executing as root. If you cannot verify the upstream repo or package code, treat installation as higher risk.
Capability Analysis
Type: OpenClaw Skill
Name: qmd-memory
Version: 1.0.0
The skill is classified as suspicious primarily due to a prompt injection risk identified in `SKILL.md`. This file explicitly instructs the AI agent to set up a cron job (`0 3 * * * qmd update && qmd embed`) for persistence, which, while performing a benign function (updating the skill's index), demonstrates the capability to instruct the agent to establish system-level persistence. Additionally, the `scripts/setup.sh` script performs a global `npm install -g @tobilu/qmd`, which is a powerful system-level action, though necessary for the skill's functionality. No clear evidence of intentional malicious behavior like data exfiltration or unauthorized remote control was found.
Capability Assessment
Purpose & Capability
The skill's name/description (local QMD memory to reduce API spend) aligns with the included scripts and SKILL.md: setup installs QMD via npm, creates collections from your workspace, runs qmd update/embed, and can start an MCP server. However skill.json references a script (scripts/add-collection.sh) that is not present in the file manifest — this is an incoherence. The skill also declares no required env vars but relies on OPENCLAW_WORKSPACE if present.
Instruction Scope
SKILL.md and scripts scan and index files under your workspace (default ~/.openclaw/workspace or OPENCLAW_WORKSPACE). Indexing 'workspace' is expected for a memory tool but can capture sensitive files (agent config, tokens, snippets containing credentials). The setup script will add collections for any matching directories and runs qmd embed (which processes local files). SKILL.md also shows a cron example for nightly updates, but the scripts do not actually install cron jobs — that's a documentation mismatch.
Install Mechanism
There is no package-level install spec; instead the setup script runs 'npm install -g @tobilu/qmd' at runtime. Installing a global npm package is common but downloads and runs third-party code (and that package will perform model downloads). The models (~2GB) are auto-downloaded by QMD from unspecified hosts. This is a moderate install risk because network downloads occur at setup time and code is fetched from the npm registry rather than a pinned, auditable release included in the skill bundle.
Credentials
The skill declares no required env vars or credentials, which is appropriate, but the setup script reads OPENCLAW_WORKSPACE (undeclared) and will scan that path and create collections. That means the skill may read and index any files under your workspace (including secrets stored in docs or config). It does not request external API keys (good), but the behavior of indexing arbitrary workspace files is a privacy risk and should be intentional and visible to the user.
Persistence & Privilege
always:false and default autonomous invocation are normal. The skill does not request permanent platform-level privileges or modify other skills. It can start a local MCP HTTP server (qmd mcp --http --daemon) which may accept connections; the script claims localhost:8181 but does not explicitly bind/address-check. The skill also writes to ~/.cache/qmd (models, index, pid) — expected for a local search tool.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install qmd-memory - After installation, invoke the skill by name or use
/qmd-memory - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Local hybrid search for OpenClaw. Save $50-300/month in API costs.
Metadata
Frequently Asked Questions
What is QMD Memory?
Enables local hybrid memory search and embedding using QMD to reduce API costs by $50-300/month with automatic setup, smart indexing, and multi-agent sharing. It is an AI Agent Skill for Claude Code / OpenClaw, with 815 downloads so far.
How do I install QMD Memory?
Run "/install qmd-memory" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is QMD Memory free?
Yes, QMD Memory is completely free (open-source). You can download, install and use it at no cost.
Which platforms does QMD Memory support?
QMD Memory is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created QMD Memory?
It is built and maintained by asabovetech (@asabovetech); the current version is v1.0.0.
More Skills