ClawHub
Back to skill
v1.0.0

Qrcode Tool

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:30 PM.

Analysis

This is a simple local QR-code tool, with only minor notes about manual Python dependencies and user-directed file reading/writing.

GuidanceThis skill appears safe for ordinary QR-code generation. Before installing dependencies, use a trusted Python environment, and when saving or reading files, make sure the paths are ones you intended to use.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
scripts/qr.py
print("Install with: pip install qrcode[pil]") ... print("Install with: pip install pillow pyzbar")

The script relies on Python packages that are not declared in an install spec and are suggested as manual, unpinned pip installs. This is common for a small Python utility, but users should install dependencies from trusted sources.

User impactInstalling Python packages adds third-party code to the local environment.
RecommendationUse a virtual environment, install packages from trusted sources, and prefer pinned dependency versions if this skill is packaged for repeated use.
Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
scripts/qr.py
parser.add_argument('-r', '--read', help='Read QR from image') ... img = Image.open(image_path) ... img.save(output)

The tool can read a user-specified image and write a user-specified output file. This is aligned with QR-code use, but it means the agent should be careful about what local paths it is asked to access or overwrite.

User impactA mistaken path could read an unintended image or overwrite/create a file at the chosen output location.
RecommendationConfirm output filenames before saving and only use the read option on images you intend to decode.