Is hqman/qveris safe?

Every tool search and execution call is transmitted to qveris.ai, a third-party service with unknown privacy policy, security posture, and ownership. The service logs natural-language user queries, tool identifiers, execution parameters, and the QVERIS_API_KEY. This creates a persistent telemetry relationship with an external actor who gains visibility into the user's intentions and workflows.

The skill's execute command dispatches arbitrary API calls to tools discovered at runtime from qveris.ai. The tool catalog, tool_id resolution, and response content are all controlled by qveris.ai at execution time, not at install time. A malicious or compromised qveris.ai could return tool results containing injected instructions, exfiltration payloads encoded in response fields, or tool definitions designed to harvest subsequent parameters.

The skill registers auto_invoke: true with trigger patterns covering 'analysis', 'data', 'trading', 'indicators', and Chinese-language equivalents. These terms appear in everyday technical and business conversations unrelated to stock trading, meaning the skill could silently activate during unrelated agent sessions and route user queries to qveris.ai without explicit invocation.

QVeris grants the agent access to 'thousands of API tools' including web search, currency exchange, geolocation, and financial data. In combination with other installed skills that provide filesystem access, the QVeris execute endpoint could serve as an exfiltration channel (file contents encoded in API parameters). The skill also claims stock trading analysis support; if a user grants trading permissions, tool execution could trigger real financial transactions through a qveris-connected brokerage API.

The API key is read from the environment and included as a Bearer token in every request to qveris.ai. Combined with search queries, tool IDs, and execution parameters, qveris.ai receives a comprehensive log of the user's activity and holds the user's API credential. If qveris.ai is breached, API key rotation would be required.

Inotify and auditd logs show access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials during the audit window. Critically, the first batch of accesses (audit event 265-270, timestamp 1771922682.252) predates the git clone by ~5 seconds (clone at 1771922687.760), attributing them to the oathe monitoring infrastructure's canary-seeding process. A second batch at 1771922705.735 aligns with periodic monitoring checks. Canary integrity confirms no exfiltration. No code in the skill reads these paths.

Full review of SKILL.md found no hidden Unicode characters, zero-width joiners, HTML comments, markdown tricks, instruction overrides, persona-switching commands, output-suppression directives, or references to external URLs for agent fetching. The frontmatter YAML is well-formed and constrained to metadata fields.

No npm install lifecycle scripts, git hooks in .githooks/, .gitattributes filter drivers, .gitmodules pointing to external repositories, or symlinks outside the repository were found. The Python dependency declaration (httpx>=0.25.0) is minimal and legitimate.