Qveris
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: qveris Version: 0.1.0 The skill is a client for the QVeris API, designed to search and execute dynamic tools. The `SKILL.md` provides clear instructions for the AI agent on how to use the skill, without any prompt injection attempts to subvert the agent's behavior. The `qveris_tool.py` script securely retrieves the `QVERIS_API_KEY` environment variable and uses it to authenticate with the legitimate `https://qveris.ai` endpoint. There is no evidence of unauthorized data exfiltration, persistence mechanisms, or arbitrary code execution on the local system. The `README.md` includes `curl | sh` instructions for installing `uv`, which is a standard installation method for that specific prerequisite from its official source (`astral.sh`) and not indicative of malicious intent within this skill bundle.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may call remote tools selected through QVeris, so incorrect tool selection or parameters could send unintended requests to external APIs.
The core capability is dynamic remote tool execution, which is disclosed and purpose-aligned but broad enough that users should review tool choice and parameters before sensitive actions.
QVeris provides dynamic tool discovery and execution - search for tools by capability, then execute them with parameters.
Use this skill for clearly scoped lookup and data-retrieval tasks; review the selected tool_id, search_id, and parameters before using it for financial, account, or other high-impact workflows.
Anyone with access to the environment variable could use the QVeris account quota or authority associated with that key.
The script uses a QVeris API key for bearer authentication to the provider, which is expected for the stated integration and not shown being leaked elsewhere.
key = os.environ.get("QVERIS_API_KEY") ... "Authorization": f"Bearer {api_key}"Use a dedicated QVeris key if possible, keep it out of prompts and logs, and rotate it if it may have been exposed.
Queries and tool parameters may be visible to QVeris and potentially to downstream tools it executes.
Search queries and execution parameters are sent to the QVeris remote gateway, which is necessary for the skill but means user-provided data leaves the local environment.
BASE_URL = "https://qveris.ai/api/v1" ... json={"query": query, "limit": limit} ... json={"search_id": search_id, "parameters": parameters, "max_response_size": max_response_size}Avoid placing secrets, private personal data, or confidential business details in QVeris tool parameters unless that sharing is intended.
Running remote installer commands executes code from the internet on the user's machine.
The README recommends user-run remote installer commands for uv. This is disclosed setup guidance from the uv project, not automatic skill behavior, but users should still review installer provenance.
curl -LsSf https://astral.sh/uv/install.sh | sh ... powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
Install uv using a method you trust, preferably following the official uv documentation, and review commands before running them.