Pipeworx qrcode

Security checks across malware telemetry and agentic risk

Overview

This is a small QR-code utility that uses a disclosed external service and does not request local access or elevated privileges.

Use this for ordinary QR-code generation and decoding. Avoid submitting passwords, API keys, confidential text, private documents, internal network URLs, or signed links unless you are comfortable sending them to the Pipeworx-hosted service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill advertises that `read_qr` can decode QR codes from any publicly accessible image URL, which implies the remote service will fetch attacker-supplied URLs. Without an explicit warning, users may unknowingly cause third-party network requests that expose queried URLs, enable SSRF-like fetch behavior on the provider side, or leak sensitive identifiers embedded in URLs to the remote service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal