ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

我的二维码生成技能

v1.0.0

生成包含文本、URL或WiFi信息的二维码图片,支持自定义尺寸、颜色并保存到指定路径。

0· 368·0 current·0 all-time
by@amzulin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (generate QR codes with custom size/color/save path) align with the included agent.py and SKILL.md. The code implements generate_qr, uses the qrcode and Pillow libraries, and saves images to the requested path.
Instruction Scope
SKILL.md and agent.py are generally aligned: both describe auto-installing qrcode/Pillow and saving images. Two small mismatches: SKILL.md claims '自动过滤无效字符' (automatic filtering of special characters) but agent.py only calls text.strip() and does not perform further sanitization; SKILL.md mentions default desktop path which the code implements, but the code directly writes to any save_path provided by the user (expected for this skill but worth noting because a maliciously chosen path could overwrite files if the agent is given elevated rights).
Install Mechanism
No install spec in registry, but agent.py performs runtime installation via subprocess.check_call([sys.executable, "-m", "pip", "install", package]) for 'qrcode' and 'pillow'. This is coherent with the stated behavior but implies network activity and modification of the Python environment at import time — a reasonable tradeoff for an instruction-only skill but a moderate operational risk (use a virtualenv/container).
Credentials
The skill requests no credentials or special environment variables. The code reads USERPROFILE for Windows desktop path without a fallback, which is an implementation fragility (not a credential issue). No broad or unrelated env access is present.
Persistence & Privilege
always is false, the skill does not request permanent inclusion or modify other skills or global agent settings. It does install Python packages and write image files (expected for its purpose) but does not persist tokens or alter system configs.
Assessment
This skill appears to do exactly what it says: generate and save QR images. Before installing or running it: (1) be aware the code will run pip install at import time — run it in a virtual environment or isolated container to avoid changing your global Python environment; (2) when supplying a save_path, avoid system directories or running the agent with elevated privileges to prevent accidental overwrites; (3) note SKILL.md claims special-character filtering but the code only strips whitespace — validate or sanitize input yourself if you expect untrusted content; (4) on non-Windows systems the code relies on ~/Desktop, and on Windows it uses USERPROFILE without fallback (may raise an error if that env var is missing). If these caveats are acceptable, the skill is coherent with its description.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bgwy188had2bmfwbbzx2n8h820b7z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments