qry
Health Pass
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 11 GitHub stars
Code Fail
- child_process — Shell command execution capability in npm/qry/bin.js
- spawnSync — Synchronous process spawning in npm/qry/bin.js
- fs module — File system access in npm/qry/bin.js
- child_process — Shell command execution capability in npm/qry/install.js
- fs.rmSync — Destructive file system operation in npm/qry/install.js
- fs module — File system access in npm/qry/install.js
Permissions Pass
- Permissions — No dangerous permissions requested
This tool is a terminal-based, agent-first web search CLI that routes queries through various built-in search adapters (like DuckDuckGo, Brave, and GitHub) and outputs the results as JSON. It is primarily designed to give AI agents and developers easy, programmatic access to web searches.
Security Assessment
The automated scan raised several red flags regarding shell command execution and destructive file operations within the npm installer files (`npm/qry/bin.js` and `npm/qry/install.js`). However, this behavior is entirely standard and expected for an npm package: the scripts use shell execution to run the compiled Go binary, and they use destructive file system operations to clean up the downloaded archive during the installation process. The tool itself makes external network requests to fetch search results based on your configured adapters. There are no hardcoded secrets; in fact, it explicitly uses environment variable templating to ensure API keys never sit statically in configuration files. No dangerous system permissions are requested. Overall risk is rated as Low.
Quality Assessment
The project has a clean bill of health for maintenance and standards. It is actively maintained (last push was today) and properly licensed under the permissive MIT license. While it currently has a modest community following with 11 GitHub stars, its architecture is well-documented and it includes agent-friendly features (like hiding resolved secrets from agent info outputs), showing a mature approach to developer experience.
Verdict
Safe to use.
A terminal-native, agent-first web search CLI
qry
A terminal-native, agent-first web search CLI. Routes queries through swappable built-in adapters and always outputs JSON.
qry "what is the latest version of numpy"
[
{
"title": "NumPy 2.0 Release Notes",
"url": "https://numpy.org/doc/stable/release/2.0.0-notes.html",
"snippet": "NumPy 2.0.0 is the first major release since 2006..."
}
]
Install
npm (recommended):
npm install -g @justestif/qry
mise:
mise cache clear
mise use -g go:github.com/justestif/qry@latest
mise reshim
Adapters
Adapters are built-in packages that do the actual searching. They implement a common interface.
| Adapter | Source | Key required |
|---|---|---|
brave-api |
Brave Search API | ✓ |
brave-scrape |
Brave Search (scraping) | ✗ |
ddg-scrape |
DuckDuckGo Lite (scraping) | ✗ |
exa |
Exa AI (via MCP) | ✗ |
github |
GitHub Search API | ✗ (optional) |
searx |
SearXNG (self-hostable) | ✗ |
stackoverflow |
Stack Exchange API | ✗ (optional) |
wikipedia |
Wikipedia / MediaWiki API | ✗ |
Configure
Create ~/.config/qry/config.toml:
Use ${VAR} syntax in adapter config values — qry expands them from the environment
at runtime so secrets never live in the file:
[adapters.brave-api.config]
api_key = "${BRAVE_API_KEY}"
[defaults]
num = 10
timeout = "5s"
[routing]
mode = "first"
pool = ["ddg-scrape"]
fallback = ["brave-scrape"]
[adapters.ddg-scrape.config]
[adapters.brave-scrape.config]
Agent usage
An agent skill is available for one-line install into any supported agent:
npx skills add justestif/qry -g -y
Browse skills at skills.sh.
Run qry --agent-info (or -A) to get a JSON description of the tool and your current
configuration — useful for agents to orient themselves before making search calls:
qry --agent-info
The output includes the tool description, available flags, routing mode explanations,
and each configured adapter with its availability status. Adapter config
maps show ${VAR} template strings rather than resolved values, so secrets are never exposed.
Routing modes
first— tries adapters in order, returns on first success. Fast, good for most use cases.merge— queries all adapters concurrently, deduplicates by URL, returns combined results.
More
See docs/ for full documentation:
docs/architecture.md— how qry works internallydocs/schema.md— config and JSON schemasdocs/adapters.md— how to build your own adapter
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found