astock-research
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone running or inspecting the skill may use or expose this API key, and requests may be made under an account that the user does not control.
The script embeds a provider API key directly in the skill package instead of requiring a user-provided, scoped credential.
export QVERIS_API_KEY=sk-XVkZepq...
Remove the hard-coded key, declare the credential requirement, and require users to provide their own API key through a secure environment variable or platform credential mechanism.
The actual code executed depends on another local skill outside this package, so the reviewed artifacts do not fully describe what will run when the helper script is used.
The helper script runs a tool from an absolute path in another skill and relies on uv, but the metadata declares no required binaries, install spec, config paths, or dependency on that external skill.
~/.local/bin/uv run /home/ubuntu/.openclaw/workspace/skills/qveris/scripts/qveris_tool.py execute
Declare and pin external dependencies, avoid absolute machine-specific paths, and include or reference the required tool in a transparent, reviewable way.