qveris

The package metadata describes a legitimate tool for dynamic API/tool discovery and execution via QVeris. From the provided artifact there is no direct evidence of embedded malware, but there are meaningful supply‑chain and privacy risks: arbitrary parameter forwarding (risk of secret leakage), auto_invoke behavior for trading-related triggers (risk of automated side‑effectful actions), and lack of the actual script for code review (blind spot). Before trusting or deploying this tool: obtain and review scripts/qveris_tool.py, restrict QVERIS_API_KEY privileges, require explicit user confirmation for tool execution (especially for actions with real‑world impact), avoid placing secrets in free‑form params, and verify QVeris’s data handling and third‑party vetting policies. The artifact should be treated with moderate caution until implementation and platform policies are reviewed.