Back to skill
Skillv1.0.0
ClawScan security
Cn Qrcode Reader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 1:17 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions match its stated purpose (reading QR/barcodes from images); it does not request credentials, network access, or privileged installation and the included script only performs local image decoding and optional local file output.
- Guidance
- This skill appears to do what it says: decode QR codes and barcodes from local image files. Before installing or running it: (1) review the included script (you already have it) and run it in a safe environment if you have concerns; (2) install dependencies from official sources (pip, your OS package manager) and be prepared to install the native zbar library; (3) note the script only writes output to stdout or an explicit --save file (no network calls or credential usage); and (4) avoid running it on untrusted images if you are worried about malformed-image processing bugs—run inside a sandbox if needed.
Review Dimensions
- Purpose & Capability
- okName/description claim a QR/barcode reader. The SKILL.md and the included Python script implement exactly that: open images, decode barcodes via pyzbar/Pillow, print results, and optionally save to a local file. No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- okRuntime instructions and example commands only describe running the provided Python script and installing local dependencies (Pillow, pyzbar, zbar). The script reads image files, prints results, and can save them locally; it does not read other system files, environment variables, or transmit data externally.
- Install Mechanism
- okNo install spec is provided (instruction-only skill with an included script). Dependencies are standard Python packages and a native zbar library; nothing is downloaded from an untrusted URL or extracted to unexpected locations.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The dependency requirements (Pillow, pyzbar, zbar) are appropriate and proportionate to image decoding.
- Persistence & Privilege
- okThe skill is not set to always:true, does not attempt to modify other skills or system-wide settings, and has no autonomous-modification behavior. It only runs as a script when invoked.