我的二维码生成技能
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its QR-code purpose, but it can automatically run pip package installation when its code is loaded, which changes the local Python environment without clear user approval.
Review this skill before installing. It appears intended to generate QR codes, but it may automatically run pip installs for qrcode and Pillow. Prefer preinstalling pinned dependencies yourself or using an isolated environment, and choose a safe output path for generated QR images.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using or loading the skill may modify the user's Python environment and execute package-installation code from package sources.
The module calls install_dependencies() at top level, so loading the skill can automatically run pip install commands for unpinned packages before an explicit user approval step.
subprocess.check_call([sys.executable, "-m", "pip", "install", package]) ... install_dependencies()
Move dependencies into a declared install spec, pin package versions, and require user approval before installing anything automatically.
A mistaken save path could create files in an unintended location or overwrite an existing image file.
The skill can create directories and write the generated image to the user-provided save_path. This is disclosed and purpose-aligned, but it can overwrite or create files wherever the process has permission.
if not os.path.exists(save_dir): os.makedirs(save_dir) ... img.save(save_path)
Use a specific, safe output path and consider adding overwrite confirmation or path validation.