Back to skill
Skillv1.0.1
VirusTotal security
qrcode · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:47 AM
- Hash
- f62a81b780793181b27a0c3ff3f272f0589887638a098c927d4ef09e7eaf643d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: qrcode-skills Version: 1.0.1 The skill bundle provides legitimate QR code generation and decoding functionality but contains high-risk operational instructions and capabilities. Specifically, SKILL.md instructs the AI agent to automatically install dependencies via 'pip' or 'npm' without user confirmation, which is a risky practice that could be exploited for supply chain attacks. Additionally, the decoding scripts (scripts/decode.py and scripts/decode.js) perform network requests to download images from arbitrary user-provided URLs, which could facilitate Server-Side Request Forgery (SSRF) in restricted environments. While these behaviors are aligned with the stated purpose, they represent significant security risks.
- External report
- View on VirusTotal