Qveris
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward QVeris API wrapper, but it gives the agent broad remote tool-calling ability and uses a QVeris API key.
Install this only if you are comfortable letting Claude use QVeris as a remote tool gateway. Keep calls narrowly scoped, avoid sending secrets or confidential data as tool parameters, and review tool selections before using it for financial or other high-impact tasks.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may call remote tools selected through QVeris, so incorrect tool selection or parameters could send unintended requests to external APIs.
The core capability is dynamic remote tool execution, which is disclosed and purpose-aligned but broad enough that users should review tool choice and parameters before sensitive actions.
QVeris provides dynamic tool discovery and execution - search for tools by capability, then execute them with parameters.
Use this skill for clearly scoped lookup and data-retrieval tasks; review the selected tool_id, search_id, and parameters before using it for financial, account, or other high-impact workflows.
Anyone with access to the environment variable could use the QVeris account quota or authority associated with that key.
The script uses a QVeris API key for bearer authentication to the provider, which is expected for the stated integration and not shown being leaked elsewhere.
key = os.environ.get("QVERIS_API_KEY") ... "Authorization": f"Bearer {api_key}"Use a dedicated QVeris key if possible, keep it out of prompts and logs, and rotate it if it may have been exposed.
Queries and tool parameters may be visible to QVeris and potentially to downstream tools it executes.
Search queries and execution parameters are sent to the QVeris remote gateway, which is necessary for the skill but means user-provided data leaves the local environment.
BASE_URL = "https://qveris.ai/api/v1" ... json={"query": query, "limit": limit} ... json={"search_id": search_id, "parameters": parameters, "max_response_size": max_response_size}Avoid placing secrets, private personal data, or confidential business details in QVeris tool parameters unless that sharing is intended.
Running remote installer commands executes code from the internet on the user's machine.
The README recommends user-run remote installer commands for uv. This is disclosed setup guidance from the uv project, not automatic skill behavior, but users should still review installer provenance.
curl -LsSf https://astral.sh/uv/install.sh | sh ... powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
Install uv using a method you trust, preferably following the official uv documentation, and review commands before running them.