Back to skill
Skillv1.0.0
VirusTotal security
invoice-qr-scanner · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:12 AM
- Hash
- 497033e4de87f17808c4c7325f1210570a73cab67c9646cbe9e74c02a28ccf04
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: invoice-qr-scanner Version: 1.0.0 The skill is classified as suspicious due to potential shell injection vulnerabilities and the inherent risk of opening arbitrary URLs. The `SKILL.md` and `README.md` instruct the OpenClaw agent to execute `node scan-qr.js <image-path>`. If the `<image-path>` argument is derived directly from unsanitized user input, it could lead to shell injection (e.g., `image.jpg; rm -rf /`). Additionally, the skill's core function involves decoding QR code URLs and then instructing the agent to open them via browser automation. While `SKILL.md` advises to 'Always verify the decoded URL is legitimate', the skill itself does not implement this verification, posing a risk if a malicious QR code is scanned. These are significant vulnerabilities/risks, but there is no clear evidence of intentional malicious behavior (e.g., data exfiltration to external endpoints, persistence, or explicit prompt injection for unauthorized actions) within the provided code or instructions.
- External report
- View on VirusTotal