qrcode-remote
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The QR-code features are coherent, but the skill tells the agent to automatically install third-party dependencies without asking, which deserves review before use.
Install only if you are comfortable with the agent running pip/npm on first use. Consider installing dependencies manually in an isolated environment, avoid decoding sensitive QR images unless remote upload is acceptable, and keep backups when using batch decode on spreadsheets.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A simple QR-code request could cause the agent to change the local Python or Node environment and fetch packages from public registries before the user explicitly approves installation.
The skill instructs the agent to install missing Python or Node dependencies automatically without a separate user approval step, which can download and run third-party package installation code.
若缺失则自动安装,无需询问用户: ... pip install -r requirements.txt ... npm install
Require explicit user confirmation before running pip or npm, prefer a virtual environment, and pin or lock dependency versions.
QR images or image URLs selected for decoding may be sent to a third-party service, which could expose sensitive QR contents or private image data.
When local decoding fails, the script can read a local QR image file and submit it to the external CaoLiao decode API.
API_ENDPOINT = "https://api.2dcode.biz/v1/read-qr-code" ... with open(file_path, "rb") as f: file_data = f.read()
Do not decode sensitive private images unless the user is comfortable with the remote fallback, or add a local-only option that requires approval before upload.
A batch decode operation can modify the user's spreadsheet or CSV in place, which may surprise users who expected a separate output file.
The batch decode helper documents that its default behavior is to write decoded results back into the original input file.
默认行为: 在原文件中新增一列写入解码结果。
Tell users before modifying source files, offer the TXT output mode by default, or create backups before write-back.