Back to skill
Skillv1.0.0
ClawScan security
invoice-qr-scanner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 3, 2026, 3:24 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's QR-decoding code is consistent with its stated purpose, but the runtime instructions ask the agent to read and submit highly sensitive memory data to arbitrary decoded URLs via unspecified browser automation without clear safeguards, which is disproportionate and risky.
- Guidance
- This skill does what it claims (decodes QR codes and attempts to fill invoice forms), but it will read sensitive company data from your agent memory and submit it to whatever URL is encoded in the QR. Before installing: 1) require that the agent always prompt you for confirmation (and show the decoded URL) before opening or submitting to the site; 2) prefer a domain whitelist or manual-approval step for target URLs; 3) verify where snapshots and updated MEMORY.md entries are stored and who can access them; 4) test the scan-qr.js locally to confirm QR output; 5) ensure browser automation runs in a sandboxed environment and that sensitive fields are not auto-submitted without explicit consent. If the author can provide an explicit browser-automation implementation, a forced confirmation step, or domain whitelisting, reassess — those mitigations would reduce the current concerns.
Review Dimensions
- Purpose & Capability
- noteThe skill name/description (scan invoice QR and fill invoice forms) matches the included QR decoding script and the stated use of MEMORY.md for company/contact info. However, the SKILL.md references browser automation and live form submission but does not declare or include any browser-automation implementation, dependencies, or explicit user-consent steps—this omission is a gap between claimed capability and what's provided.
- Instruction Scope
- concernInstructions tell the agent to: decode a QR to a URL, open that URL in browser automation, read sensitive company/contact data from memory files (MEMORY.md, memory/YYYY-MM-DD.md), fill and submit forms, take snapshots, and update memory. These actions involve reading and transmitting sensitive data (tax ID, bank account, phone, emails) to external endpoints discovered from QR codes. The SKILL.md says to 'Always verify' the URL but does not mandate user confirmation or domain whitelisting before submission, nor does it specify how snapshots and memory updates are stored or protected.
- Install Mechanism
- noteThere is no install spec (instruction-only skill) which reduces some risk. The repository includes Node.js script and package.json that instructs npm install of qrcode-reader and canvas; canvas has native system dependencies (libcairo, etc.) noted in README. No remote downloads from untrusted URLs are present. Overall install risk is low-to-moderate but the skill assumes availability of browser automation without providing it.
- Credentials
- concernThe skill requests no environment variables or external credentials, which is good, but it explicitly reads local memory files containing highly sensitive company information (tax ID, bank account numbers, phone numbers, emails) and will transmit them to whatever URL the QR code contains. That is a high-sensitivity operation without declared safeguards; the lack of requested credentials is not sufficient protection because the skill still exfiltrates secrets via the web forms it auto-submits to.
- Persistence & Privilege
- notealways:false and default autonomous invocation are set. Autonomous invocation combined with this skill's ability to read memory and submit external forms raises the blast radius if the agent runs without explicit user confirmation. The skill also instructs updating memory files, which is reasonable for its purpose but not documented how writes are controlled or consented to.