ClawHub

My Generate Qr Code

Security checks across malware telemetry and agentic risk

Overview

This QR-code skill mostly does what it says, but it can automatically run pip and change the Python environment when loaded, which is broader than the stated file-writing permission.

Review before installing. The QR generation itself is local and narrow, but install it only in a controlled Python environment, preferably after manually installing trusted pinned versions of qrcode and Pillow. Avoid using shared or synced save locations for QR codes containing WiFi passwords, phone numbers, or other sensitive data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
__import__(package)  # 检查库是否已安装
        except ImportError:
            # 自动安装缺失的库
            subprocess.check_call([sys.executable, "-m", "pip", "install", package])

# 初始化:安装依赖库
install_dependencies()
Confidence
97% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", package])

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares only file-write permission, but the detected behavior indicates access to environment data and shell/subprocess execution. Undeclared shell capability is security-relevant because it can install packages or run arbitrary commands, expanding the attack surface beyond simple QR generation and violating least-privilege expectations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior says the skill generates QR/barcodes, but the implementation reportedly only supports QR codes and may invoke subprocess-based pip installation that is not clearly disclosed. Hidden package installation and behavior mismatch are dangerous because they introduce unexpected code execution and network/system modification in a skill users would reasonably expect to be a local image generator.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
A QR-code generation skill should not silently install packages at runtime as part of normal execution, especially on import. This behavior changes the host environment and may execute third-party package installation logic, making the skill materially more dangerous than its stated purpose suggests.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The skill explicitly supports encoding sensitive material such as WiFi credentials and phone numbers into QR codes but provides no privacy warning about shoulder-surfing, image leakage, or insecure storage on disk. In this context, default desktop saving increases exposure because secrets may persist in an easily accessible location or be shared unintentionally.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Automatically running pip at import time performs system changes and subprocess execution without warning, confirmation, or administrative controls. In a skill context, this is especially risky because users expect a simple content-generation utility, not code that alters installed software and network-fetches dependencies behind the scenes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal