QVerisAI
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: qverisai Version: 1.0.1 The skill is designed to interact with the QVeris API for dynamic tool search and execution. The `scripts/qveris_tool.mjs` code adheres to the security claims made in `SKILL.md`, specifically that it only accesses the `QVERIS_API_KEY` environment variable and sends it exclusively to `https://qveris.ai/api/v1`. There is no evidence of unauthorized data exfiltration, malicious execution, persistence mechanisms, or obfuscation. While the skill passes user-provided JSON parameters directly to the QVeris API, which could be a vulnerability if the OpenClaw agent does not properly sanitize user input before constructing the `--params` argument, this is a vulnerability in the agent's interaction rather than malicious intent within the skill itself. The skill's behavior is clearly aligned with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may call a wide range of QVeris-discovered external tools when a user request appears relevant.
This documents a broad dynamic tool-execution gateway. It is the stated purpose of the skill, but users should notice the breadth before allowing autonomous calls.
Search and execute dynamic tools via QVeris API... covers weather, search, stocks, finance, economics, geolocation, AIGC, news, social media, health data, and thousands more.
For sensitive, costly, or high-impact tasks, ask the agent to show the selected tool and parameters before execution.
Anyone using the skill must trust QVeris with the API key and any usage charged to that key.
The script reads the QVeris API key from the environment and sends it as a bearer token to QVeris. This is expected for the integration, and the code does not show reads of other environment variables.
const key = process.env.QVERIS_API_KEY; ... Authorization: `Bearer ${apiKey}`Use a scoped, revocable QVeris API key, monitor usage, and rotate the key if you suspect misuse.
Queries, tool parameters, and results may be processed by QVeris and potentially downstream services selected through QVeris.
Execution parameters are sent to the QVeris API, which acts as a dynamic external tool gateway. This is disclosed and purpose-aligned, but it means user-supplied parameters leave the local environment.
const BASE_URL = "https://qveris.ai/api/v1"; ... body: JSON.stringify({ search_id: searchId, parameters, max_response_size: maxResponseSize })Avoid sending secrets, private personal data, or regulated information unless you have reviewed QVeris’s data handling and the specific tool being called.