ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

中文二维码生成器

v1.0.1

中文二维码生成器。输入URL或文本,一键生成高清PNG/SVG二维码。 支持自定义颜色/尺寸/Logo,无需API Key,开箱即用。 当用户说"生成二维码"、"二维码"、"qrcode"时触发。 Keywords: 二维码, 生成二维码, 扫码, qrcode, qr.

0· 43·0 current·0 all-time
by@freedompixels
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description and code align on generating QR images via a public HTTP API, but SKILL.md claims additional features (Logo overlay, SVG output, use of qrcode.monster) and lists a 'requests' dependency that generate.py does not use. The implementation uses api.qrserver.com and produces PNGs only — the declared capabilities are partly inaccurate.
Instruction Scope
Runtime instructions simply run the included Python script. The script only contacts a public QR image API, writes a local file (default ~/Downloads/qrcode.png or user-specified path) and does not read other system files or environment variables. It prepends 'https://' to inputs that don't start with http which can alter user input; otherwise the runtime scope is limited to generating and saving the image.
Install Mechanism
No install spec (instruction-only with a small included script). Nothing is downloaded or installed during skill install.
Credentials
The skill requests no environment variables or credentials. It performs a network call to api.qrserver.com but does not require secrets or unrelated credentials.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges.
What to consider before installing
This skill appears to be a simple QR generator that calls a public QR image API and saves a PNG locally, but the documentation overstates features (mentions Logo/SVG and the 'requests' package) while the script only uses qrserver.com and curl via subprocess. Before installing: ensure you are comfortable with the script making outbound HTTPS requests to api.qrserver.com, verify you have curl available (the script invokes curl), and be aware it will create files (default ~/Downloads/qrcode.png). If you prefer no external network calls or need true SVG/Logo support, consider using a local Python QR library (eg. 'qrcode' / Pillow) or modify the script to implement the advertised features. If you need higher assurance, request the author correct the SKILL.md or provide an updated implementation that matches the documented capabilities.

Like a lobster shell, security has layers — review code before you run it.

latestvk979x5tmsgwg7e3ntpw5kcmhd984vnkr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📱 Clawdis

Comments