ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

My Generate Qr Code

v1.0.0

生成二维码/条形码,支持文本、URL、WiFi 配置等内容,可自定义尺寸、颜色并指定保存路径

0· 346·1 current·1 all-time
by@jayxu-d
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included agent.py and SKILL.md: the skill generates QR images, supports size/color, and saves to a path. It does not request unrelated credentials, binaries, or config paths.
Instruction Scope
SKILL.md instructs the agent to call generate_qr and to auto-install qrcode/Pillow if missing — the code does perform these actions. However, SKILL.md mentions filtering special characters and WiFi-format validation; the provided code does not implement explicit content filtering or WiFi-format validation, so behavior for those edge cases is not implemented as claimed.
Install Mechanism
There is no external install spec, but agent.py will attempt to run pip at runtime (sys.executable -m pip install ...) to fetch qrcode and pillow from PyPI. These are standard packages (no custom URLs), but the runtime pip install performs network downloads and writes to disk. Also, the import check uses '__import__("pillow")' while Pillow is imported as 'PIL', which may trigger unnecessary pip installs.
Credentials
The skill requests no credentials and no special env vars. It does read USERPROFILE to locate the Windows Desktop when save_path is omitted; that is reasonable for determining a default path but is undocumented in requires.env and could raise a KeyError on unusual environments.
Persistence & Privilege
The skill is not always-enabled, does not persist agent-wide changes, and only writes image files to the filesystem (user-specified paths). It does not modify other skills or system settings.
Assessment
This skill appears to do what it claims: generate and save QR images. Before installing or using it consider: (1) it will attempt to run pip at runtime to install 'qrcode' and 'pillow' from PyPI (network download and disk writes) — if you prefer, install those packages yourself ahead of time; (2) it will write files to the filesystem (default: Desktop) and will create directories if necessary — ensure the save path is trusted and writable; (3) there are minor implementation issues (it checks for 'pillow' via __import__('pillow') though Pillow is imported as PIL, and it claims to filter special characters / validate WiFi format but the code does not enforce these), so avoid feeding sensitive data until you review or test behaviour; (4) if you need stricter validation or want to avoid runtime package installs, review/modify the agent.py before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dzvfkmwp75fhtva7htnwven824gxd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments