Back to skill

Security audit

Qr Code Generator

Security checks across malware telemetry and agentic risk

Overview

This is a local QR-code generator whose behavior matches its purpose, but generated codes and command output can expose any secrets the user encodes.

Install it in a virtual environment, keep Pillow and related image packages current, and treat every generated QR code as public to anyone who can view it. Avoid encoding long-lived WiFi passwords or private contact details unless distribution is controlled, and be aware that single-code runs may print encoded content to terminal or agent logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation provides examples for WiFi credentials and contact data without warning that QR codes encode secrets and personal information in easily shareable, scannable form. Users may inadvertently expose network passwords or PII by generating and distributing these codes, especially because the examples normalize embedding plaintext credentials.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly demonstrates generating QR codes that embed WiFi SSIDs and passwords, but it provides no warning that QR codes are easily shared, photographed, or redistributed. In the context of a QR-generation skill, this normalizes putting live credentials into a scannable artifact and can lead to unintended exposure of network access if users reuse production or personal passwords.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script prints the encoded QR payload to stderr after successful generation, which can leak sensitive information such as WiFi passwords, email bodies, phone numbers, event details, or vCard contact data into terminal history, CI logs, wrappers, or agent telemetry. In this skill’s context, users are explicitly encouraged to generate QR codes for secrets and personal data, so echoing the content materially increases exposure risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
segno>=1.6.0

# Image processing (included with qrcode[pil])
Pillow>=10.0.0
Confidence
93% confidence
Finding
Pillow>=10.0.0

Known Vulnerable Dependency: Pillow==10.0.0 — 10 advisory(ies): CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2024-28219 (Pillow buffer overflow vulnerability); CVE-2023-4863 (libwebp: OOB write in BuildHuffmanTable) +7 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
Pillow==10.0.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.