Oathe Security Badge

Is hqman/qveris safe?

https://clawhub.ai/hqman/qveris

75
CAUTION

The qveris skill provides dynamic API discovery and execution through an external service, which raises data privacy and security concerns. While functionally legitimate, it transmits user data externally and enables broad API execution capabilities that could be misused.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (5)

HIGH User data transmitted to external service -50

The skill sends user search queries and API execution parameters to the external QVeris service at qveris.ai. This could potentially expose sensitive information contained in user queries or data passed to executed APIs.

HIGH Broad API execution capability poses security risk -50

The skill can dynamically discover and execute arbitrary external APIs through the QVeris service. This broad capability could be misused to access unintended or potentially dangerous APIs, depending on what's available through QVeris.

MEDIUM Facilitates execution of arbitrary external tools -35

While the skill doesn't directly execute arbitrary code locally, it provides a mechanism to discover and invoke arbitrary external APIs and tools through the QVeris platform, which could have security implications depending on available tools.

LOW External network dependency -10

The skill makes network connections to external QVeris service as expected for its functionality, creating an external dependency and potential attack vector if the service is compromised.

INFO Broad capability description -5

The skill description uses broad language about executing 'dynamic tools' which could be interpreted more widely than intended, though no explicit prompt injection was detected.