Skills
skills/openclaw/skills/qveris/Gen Agent Trust Hub

qveris

Fail

Audited by Gen Agent Trust Hub on Mar 9, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The README.md and README.zh-CN.md files instruct users to install the uv package manager by piping a remote script directly into the shell: curl -LsSf https://astral.sh/uv/install.sh | sh. This is a dangerous practice as it executes unverified code from the internet with the user's current privileges.
  • [EXTERNAL_DOWNLOADS]: The skill relies on https://astral.sh for its core dependency manager and communicates with https://qveris.ai/api/v1 to search for and execute third-party tools. While these are documented as the intended service providers, they represent external dependencies that control the skill's runtime behavior.
  • [COMMAND_EXECUTION]: The scripts/qveris_tool.py script executes HTTP POST requests to a remote endpoint (/tools/execute) to trigger external tool execution. While the script itself uses an HTTP client, the primary purpose of the skill is to facilitate the execution of arbitrary external capabilities within the agent's context.
  • [DATA_EXFILTRATION]: The skill requires the QVERIS_API_KEY environment variable. The scripts/qveris_tool.py script retrieves this key and sends it in the Authorization header to https://qveris.ai. This is standard for API interactions but constitutes sending a sensitive credential to a third-party service.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
  • Ingestion points: Data enters the system via the search and execute commands in scripts/qveris_tool.py, which process descriptions and results from the QVeris API.
  • Boundary markers: None observed in the prompt templates or the script; the agent is expected to interpret and act on the tool search results directly.
  • Capability inventory: The skill allows for the discovery and execution of thousands of dynamic tools (weather, stocks, search, etc.) which are triggered via httpx POST requests.
  • Sanitization: There is no evidence of sanitization or validation of the content returned by the QVeris API before it is presented to the agent, potentially allowing a malicious API provider or a compromised search result to influence the agent's next steps.
Recommendations
  • HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 9, 2026, 04:55 PM