Qryma Search
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a normal Qryma web-search skill, but it requires a Qryma API key and sends search queries to Qryma or any endpoint you configure.
This skill appears safe for its stated purpose. Before installing, make sure you are comfortable sending search queries to Qryma, keep your QRYMA_API_KEY private, and only use a custom QRYMA_ENDPOINT if you trust it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill gives it access to make Qryma API calls with your key, which may be associated with your account or usage limits.
The script sends the configured Qryma API key as an authentication header when making search requests. This is expected for the service, but it is still account credential use.
"X-Api-Key": self.api_key
Use a dedicated Qryma key, store it as an environment variable or secure config, and rotate it if it is accidentally shared.
Your search terms, language/safe-search settings, result limits, and API key are sent to Qryma by default or to a custom endpoint if you configure one.
Search query data is posted to the configured endpoint, and the endpoint can be overridden through environment or config. This is disclosed and purpose-aligned, but users should know where their queries and key are being sent.
endpoint = os.environ.get("QRYMA_ENDPOINT") ... urllib.request.Request(self.endpoint, data=dataKeep the default endpoint unless you trust the alternative, and avoid setting QRYMA_ENDPOINT from shared or untrusted project .env files.
If you paste a real API key into chat, it may be visible in logs, transcripts, or to systems that process the conversation.
The setup instructions encourage providing the API key to the AI assistant for configuration. That may be convenient, but it means placing a secret into the assistant/chat context.
Please configure qryma search with the QRYMA_API_KEY set to ak-your-api-key-here.
Prefer secure secret-entry or local environment configuration; if you do paste a key into chat, use a limited-purpose key and rotate it afterward if needed.