← 返回 Skills 市场
QMD Memory
作者
asabovetech
· GitHub ↗
· v1.0.0
815
总下载
1
收藏
10
当前安装
1
版本数
在 OpenClaw 中安装
/install qmd-memory
功能描述
Enables local hybrid memory search and embedding using QMD to reduce API costs by $50-300/month with automatic setup, smart indexing, and multi-agent sharing.
安全使用建议
This skill appears to implement a local QMD-based memory integration, but check these items before installing: 1) Confirm the upstream source/repository and review the npm package @tobilu/qmd (the setup script installs it globally). 2) Understand that setup will scan and index your workspace (OPENCLAW_WORKSPACE or ~/.openclaw/workspace) — review your workspace for any files you don't want indexed (API keys, credentials, private notes) or run setup in a safe/test workspace first. 3) The skill auto-downloads ~2GB of models via QMD — ensure you have disk space and bandwidth, and verify where models come from. 4) There is a manifest inconsistency: skill.json references scripts/add-collection.sh which is missing — ask the author or inspect the package you install. 5) The serve command launches an HTTP MCP server; verify it binds only to localhost and secure access if you enable multi-agent sharing. 6) Prefer running the setup script contents manually (or inspect it line-by-line) rather than blindly executing as root. If you cannot verify the upstream repo or package code, treat installation as higher risk.
功能分析
Type: OpenClaw Skill
Name: qmd-memory
Version: 1.0.0
The skill is classified as suspicious primarily due to a prompt injection risk identified in `SKILL.md`. This file explicitly instructs the AI agent to set up a cron job (`0 3 * * * qmd update && qmd embed`) for persistence, which, while performing a benign function (updating the skill's index), demonstrates the capability to instruct the agent to establish system-level persistence. Additionally, the `scripts/setup.sh` script performs a global `npm install -g @tobilu/qmd`, which is a powerful system-level action, though necessary for the skill's functionality. No clear evidence of intentional malicious behavior like data exfiltration or unauthorized remote control was found.
能力评估
Purpose & Capability
The skill's name/description (local QMD memory to reduce API spend) aligns with the included scripts and SKILL.md: setup installs QMD via npm, creates collections from your workspace, runs qmd update/embed, and can start an MCP server. However skill.json references a script (scripts/add-collection.sh) that is not present in the file manifest — this is an incoherence. The skill also declares no required env vars but relies on OPENCLAW_WORKSPACE if present.
Instruction Scope
SKILL.md and scripts scan and index files under your workspace (default ~/.openclaw/workspace or OPENCLAW_WORKSPACE). Indexing 'workspace' is expected for a memory tool but can capture sensitive files (agent config, tokens, snippets containing credentials). The setup script will add collections for any matching directories and runs qmd embed (which processes local files). SKILL.md also shows a cron example for nightly updates, but the scripts do not actually install cron jobs — that's a documentation mismatch.
Install Mechanism
There is no package-level install spec; instead the setup script runs 'npm install -g @tobilu/qmd' at runtime. Installing a global npm package is common but downloads and runs third-party code (and that package will perform model downloads). The models (~2GB) are auto-downloaded by QMD from unspecified hosts. This is a moderate install risk because network downloads occur at setup time and code is fetched from the npm registry rather than a pinned, auditable release included in the skill bundle.
Credentials
The skill declares no required env vars or credentials, which is appropriate, but the setup script reads OPENCLAW_WORKSPACE (undeclared) and will scan that path and create collections. That means the skill may read and index any files under your workspace (including secrets stored in docs or config). It does not request external API keys (good), but the behavior of indexing arbitrary workspace files is a privacy risk and should be intentional and visible to the user.
Persistence & Privilege
always:false and default autonomous invocation are normal. The skill does not request permanent platform-level privileges or modify other skills. It can start a local MCP HTTP server (qmd mcp --http --daemon) which may accept connections; the script claims localhost:8181 but does not explicitly bind/address-check. The skill also writes to ~/.cache/qmd (models, index, pid) — expected for a local search tool.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install qmd-memory - 安装完成后,直接呼叫该 Skill 的名称或使用
/qmd-memory触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: Local hybrid search for OpenClaw. Save $50-300/month in API costs.
元数据
常见问题
QMD Memory 是什么?
Enables local hybrid memory search and embedding using QMD to reduce API costs by $50-300/month with automatic setup, smart indexing, and multi-agent sharing. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 815 次。
如何安装 QMD Memory?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install qmd-memory」即可一键安装,无需额外配置。
QMD Memory 是免费的吗?
是的,QMD Memory 完全免费(开源免费),可自由下载、安装和使用。
QMD Memory 支持哪些平台?
QMD Memory 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 QMD Memory?
由 asabovetech(@asabovetech)开发并维护,当前版本 v1.0.0。
推荐 Skills