ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

qrcode

v1.0.1

Generate and decode QR codes locally. Use when the user wants to create a QR code from text/URL, decode/read QR code content from an image, or asks about QR...

0· 372·0 current·0 all-time
by@hinisal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (generate & decode QR codes) match the included scripts (generate/decode and batch variants in Python & Node). Dependencies listed (qrcode, zxingcpp, qr-scanner-wechat, etc.) are appropriate for the functions. Minor metadata inconsistency: package.json lists version 2.0.0 while registry metadata shows 1.0.1 (likely packaging/version drift, not malicious).
Instruction Scope
SKILL.md instructs the agent to run the included scripts and to download remote images only when given an image URL — that matches the code. Two noteworthy operational behaviors: (1) the skill auto-installs dependencies without prompting the user (pip install -r requirements.txt or npm install), and (2) batch decode will write results back into the original CSV/XLSX file by default (modifies user files). Both behaviors are documented in SKILL.md but merit user awareness.
Install Mechanism
There is no platform-level install spec; installation is performed at runtime by running pip/npm as described in SKILL.md. That is expected for an instruction+script skill, but it means packages will be fetched from PyPI/npm (network and native build steps may occur). The requirement zxingcpp (Python) may require native build tooling on some systems.
Credentials
The skill requests no environment variables, credentials, or config paths. It only performs file I/O, temporary downloads of user-provided image URLs, and dependency installs — all coherent with its purpose.
Persistence & Privilege
Skill flags are default (always: false, user-invocable: true, autonomous invocation allowed). The skill does not request permanent platform-wide privileges or modify other skills' configs. It will create temp files and may overwrite input files for batch decode (documented).
Assessment
This skill appears to do exactly what it says: local QR generation and decoding with both Python and Node.js script implementations. Before installing or allowing the agent to run it, consider: (1) the skill will attempt to auto-install Python/npm dependencies (network access and possible native builds); you may prefer to install dependencies manually so you can review them first; (2) batch-decode will, by default, write results back into the original CSV/XLSX file—make a backup if you need the originals preserved; (3) when decoding URLs the skill will download the remote image to a temp file (expected behavior); verify you trust the image sources; (4) if you have restricted environments, run the scripts in a sandbox or inspect the scripts themselves (they are included) before execution. The only minor oddity is a version mismatch between package.json and the registry metadata, which is likely benign but worth checking.

Like a lobster shell, security has layers — review code before you run it.

latestvk9743h12qexdezn02fvmy3zmx582rehz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments