ClawHub

Qr Code Generator

Security checks across malware telemetry and agentic risk

Overview

This is a local QR-code generator whose behavior matches its purpose, though users should treat generated codes and terminal output as exposing the encoded data.

Install in a virtual environment, keep image-processing dependencies updated, and only encode information you intend to share. Avoid putting long-lived WiFi passwords, private contact details, or sensitive messages in QR codes unless distribution is controlled; also be aware that the tool may show part of the encoded content in terminal or agent logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation encourages generating QR codes containing WiFi passwords and personal contact data without warning that the resulting QR code directly exposes that sensitive information to anyone who scans it, photographs it, or receives the file. In this skill context, the omission is more dangerous because the skill is specifically designed to package secrets and PII into easily shareable artifacts, increasing the chance of accidental disclosure.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The README explicitly demonstrates generating QR codes that encode WiFi credentials and personal contact information, but it does not warn that anyone who can view or photograph the code can extract that sensitive data. In the context of a QR-generation skill, this omission increases the risk of accidental disclosure because users may treat the output as harmless artwork rather than a machine-readable secret.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
After generating a QR code, the script prints the encoded content to stderr, which can expose sensitive values such as WiFi passwords, email bodies, SMS messages, or vCard data in logs, terminal scrollback, CI output, and shell history captures. Because this skill is designed to handle many secret-bearing payload types, the context makes the leakage materially more dangerous than a generic QR tool.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal