QRCode
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a purpose-aligned QR code generator, with minor install and privacy considerations but no artifact-backed malicious behavior.
This looks safe for normal QR-code generation. Before installing, be aware that it uses npm packages and writes generated files to the workspace root. If your QR code contains sensitive data, choose a neutral output filename with `-o` and avoid sharing or displaying the generated QR image where others can access it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may download and run npm package install code for QR and image-processing libraries.
The skill depends on external npm packages, using semver ranges rather than pinned exact versions. This is expected for QR generation and image conversion, but it means installation pulls third-party code.
"dependencies": { "qrcode": "^1.5.1", "sharp": "^0.32.4" }Install only if you trust the package source and dependency chain; prefer a reviewed lockfile or pinned dependency versions for stricter reproducibility.
Using the skill runs a local helper script to create image files.
The skill is operated by running its included Node.js script. This local code execution is central to the stated QR-generation purpose and is clearly documented.
node {baseDir}/scripts/generate.mjs "Hello World"Use it as a normal local generator, and review the script/dependencies if your workspace has strict code-execution policies.
Sensitive QR contents, such as Wi-Fi details or private URLs, could be partially exposed through the generated file name.
The default filename includes a sanitized prefix of the QR text. If the QR content contains private data, part of it may persist visibly in the filename.
return `qrcode_${safeText}_${timestamp}.${format === 'jpg' ? 'jpg' : format}`;When encoding sensitive information, provide an explicit neutral output name with `-o`, such as `wifi.png` or `code.svg`.