Qverisai 1.0.1
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a transparent QVeris API integration, but it can run a broad catalog of remote tools and sends selected inputs plus a QVeris key to that provider.
Install only if you trust QVeris as a broad remote-tool provider. Use a revocable API key, avoid sending sensitive personal or business data unless necessary, and consider asking the agent to confirm the selected tool and parameters before execution.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When the agent uses this skill, it may trigger QVeris-side API calls and send the chosen parameters to remote services.
The skill intentionally enables the agent to discover and execute a broad remote tool catalog. This matches the stated purpose, but it is broader than a single-purpose API integration.
auto_invoke: true ... QVeris provides dynamic tool discovery and execution ... Execute any discovered tool with parameters.
Use it for tasks where broad external API access is acceptable, and ask the agent to confirm the selected tool and parameters before sensitive or costly executions.
Anyone or any agent process with this environment variable can use your QVeris account quota or permissions through the skill.
The code reads a QVeris API key from the environment and uses it as a bearer token for QVeris requests. This is expected for the service but still grants account-level usage authority.
const key = process.env.QVERIS_API_KEY; ... Authorization: `Bearer ${apiKey}`Use a scoped, revocable QVeris key, monitor provider usage, and do not expose the key in shared shells or logs.
Users may have less clarity about which publisher/version they are installing.
The package metadata is inconsistent across provided artifacts, creating a provenance/version verification note even though the included code is transparent.
Registry metadata: Owner ID kn7edqxt9xhsfxvxp77mv7761981vvc2, Version 1.0.0; _meta.json: "ownerId": "kn730nze617pqzzn1z0c7dknnd809yqp", "version": "1.0.1"
Verify the package source, publisher, and version before installing or setting a real API key.
Sensitive finance, health, location, or personal data included in prompts or parameters may be processed by QVeris and possibly downstream tool providers.
The skill sends user-provided tool parameters to QVeris for execution against a dynamic catalog. The downstream tool/provider selected at runtime is not fully knowable from the static artifacts.
QVeris aggregates thousands of API tools ... Execute a specific tool with parameters
Avoid sending secrets or unnecessary personal data, and review the selected tool/provider when handling sensitive requests.