qveris

SUSPICIOUS: The skill's purpose is coherent, and its primary data flows go to the named QVeris service, but it relies on an unpinned external MCP package and forwards QVERIS_API_KEY into that package. This is not confirmed malicious, yet the install trust and credential-forwarding footprint are larger than a minimal direct-REST integration and warrant medium risk.

The fragment documents a remote-install/install-and-run workflow for a Claude Code skill interfacing with QVeris, which introduces notable supply-chain and secret-management risks despite no embedded malicious code in the fragment itself. Primary risk drivers are remote installers, lack of integrity verification, and environment-based secret exposure. Actionable mitigations include signature/hash verification for installers, using pinned, signed packages, secret management (instead of plain env exports), and auditing downstream scripts (uv, qveris_tool.py) for secure handling and least-privilege.

SUSPICIOUS: mostly coherent with its stated purpose and uses a proportionate single API key, but it routes user requests through a third-party broker that discovers and executes many external tools, and the fallback local script plus MCP package provenance are not fully verifiable from the provided evidence. Risk is moderate due to intermediary data flow and limited transparency, not confirmed maliciousness.

SUSPICIOUS: the skill's stated purpose matches dynamic tool search/execution, and qveris.ai appears to be the official same-org endpoint, so this is not outright malicious. However, the scope is broad for an auto-invoked skill, all requests and params are routed through a third-party aggregator, and the unseen wrapper script leaves enforcement details unclear. Risk is mainly from delegated execution and credentialed brokered access, not confirmed malware.