qrcode
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its QR-code purpose, but it can auto-install third-party dependencies without asking and batch decoding can write untrusted QR contents back into original spreadsheets.
Use this skill only if you are comfortable with local pip/npm dependency installation. Prefer running it in an isolated project or virtual environment, and batch-decode spreadsheets only on copies of files from trusted sources.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may change the local Python or Node environment and run third-party package installation steps before the user has reviewed them.
The skill tells the agent to install third-party Python or npm dependencies automatically without explicit user approval.
若缺失则自动安装,无需询问用户: ... pip install -r requirements.txt ... npm install
Ask the user before installing dependencies, use a virtual environment or project-local install, and add pinned versions or lockfiles.
A QR code containing spreadsheet-formula text could be written into a CSV/XLSX file and later execute as a formula when opened or shared.
Decoded QR contents are written directly into the original workbook and the original file is saved in place.
ws.cell(row=i + 2, column=result_col_idx, value=decoded) ... wb.save(input_path)
Write decoded results to a new copy by default, keep backups, and escape values that start with formula characters such as =, +, -, or @.
This is disclosed and purpose-aligned, but decoding remote or batch-supplied URLs will make network requests from the user’s machine.
When given a remote image URL, the decoder downloads that URL locally before decoding.
urllib.request.urlretrieve(url, tmp.name)
Only decode URLs you trust, and avoid using batch files that may contain unexpected internal or sensitive URLs.