CodeBox QR Code

Security checks across malware telemetry and agentic risk

Overview

This appears to be a QR-code management skill with expected analytics and deletion features, but users should handle scan data carefully and confirm destructive actions.

Install only if you are comfortable sending or handling QR scan analytics. Avoid exporting unnecessary device/location/time data, obtain consent where needed, and treat deletion as potentially irreversible for live QR campaigns.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly supports scan analytics and scan-event export that include device, location, and time data, but it provides no privacy notice, consent guidance, or data-minimization warning. This can lead users to collect and expose potentially sensitive behavioral and location information without understanding the privacy and compliance implications.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The delete operation is documented as a simple API call with no warning that it may permanently remove a QR code or disrupt live campaigns using that code. Users may trigger destructive actions without confirmation or understanding the operational consequences.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal