ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

qrcode-remote

v1.0.0

Generate and decode QR codes using CaoLiao QR Code API. Use when the user wants to create a QR code from text/URL, decode/read QR code content from an image,...

0· 219·0 current·0 all-time
by@hinisal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and SKILL.md: scripts generate QR URLs/images and decode images locally with a remote API (CaoLiao / api.2dcode.biz) as fallback. The requested code and dependencies are coherent with those capabilities (qrcode, zxingcpp, qr-scanner-wechat, xlsx, etc.).
!
Instruction Scope
Runtime instructions include auto-installing dependencies and running local scripts that will: download images from arbitrary URLs, upload images/files to a third-party API for decoding, create directories, and overwrite input CSV/XLSX files (batch decode writes results back to the original file). These actions go beyond passive read-only operations and have privacy and data-integrity implications.
!
Install Mechanism
There is no declared install spec; instead SKILL.md instructs the agent to run 'pip install -r requirements.txt' or 'npm install' automatically at first use without asking the user. Installing packages at runtime is moderate risk (pulls code from PyPI/npm), may require native builds (sharp, zxingcpp), and can fail or change system state.
Credentials
The skill requests no environment variables or credentials. Network calls are only to the CaoLiao API (api.2dcode.biz) and to arbitrary image URLs provided by the user, which is consistent with QR decoding/generation functionality.
Persistence & Privilege
The skill is not set to always:true and does not request special agent-wide privileges, but it will install dependencies, create files/directories, download and write images to disk, and overwrite input files during batch operations. Those are legitimate for this use case but are privileged actions the user should authorize explicitly.
What to consider before installing
This skill generally does what it promises (generate and decode QR codes), but consider these points before installing: - Auto-install: The agent will run 'pip install -r requirements.txt' or 'npm install' automatically on first use. That modifies your environment and pulls packages from PyPI/npm. If you prefer, run those installs yourself in a controlled environment first. - Privacy: Decoding prefers local libraries but will upload images to the third-party API (https://api.2dcode.biz) when local decoding fails or when you choose API flows. Don't feed sensitive images you don't want transmitted to external servers. - File overwrite: Batch decode scripts write results back into the original CSV/XLSX files (and batch generate may write many image files). Back up user files before running batch operations. - Local execution risks: Scripts download arbitrary URLs and follow redirects. Only process inputs (URLs/files) you trust. If you still want to use the skill, test it first in an isolated environment, review requirements.txt/package.json, and run dependency installation manually so you can inspect what gets installed.

Like a lobster shell, security has layers — review code before you run it.

latestvk971qpy1cjcp7a5x1c1mpw7sws82s24c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments