Back to skill
Skillv0.1.0
ClawScan security
Qr Code Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:23 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill implements a local QR-code generator that matches its description; it requests no credentials and contains no network/exfiltration behavior — the only oddity is an unnecessary mention of installing an OpenClawCLI dependency in the docs.
- Guidance
- This skill appears internally consistent and implements a local QR-code generator. Before installing or running it: (1) verify the source — the package lists no homepage and the README references 'clawhub.ai' but the code does not use it; ask the publisher why OpenClawCLI is mentioned. (2) Run in a Python virtual environment to avoid changing system packages. (3) Inspect any logo or batch input files you feed the script (it will read local files and write output images). (4) If you need a stronger trust signal, request a canonical homepage/repository or a signed release; otherwise treat this as unprivileged local code and run it in a sandbox or isolated environment.
Review Dimensions
- Purpose & Capability
- noteThe code and documentation implement QR generation features (URLs, WiFi, vCard, batch, colors, logos, multiple formats) consistent with the skill name and description. The SKILL.md repeatedly states a prerequisite to 'Install OpenClawCLI (clawhub.ai)', but the included scripts do not call or depend on any OpenClawCLI APIs or binaries — this prerequisite appears unnecessary or misplaced.
- Instruction Scope
- okRuntime instructions in SKILL.md are limited to installing Python packages, running scripts, and reading local input files (txt/csv/json) to generate QR images. The instructions reference only local files and standard CLI options; there are no steps that collect system secrets, read unrelated config files, or transmit data to external endpoints.
- Install Mechanism
- okThis is instruction-only (no platform install spec). Dependencies are standard PyPI packages (qrcode[pil], segno, Pillow) declared in requirements.txt and referenced in the README; no remote arbitrary downloads or archive extraction are used. Risk is typical for running third‑party Python code locally.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. That matches the stated functionality. The only environment guidance is to use a virtualenv to avoid modifying system Python, which is reasonable.
- Persistence & Privilege
- okThe skill is not forced always-on, does not ask to persist credentials or modify other skills, and contains no autonomous invocation directives. It runs as a local CLI script when invoked.