Back to skill
Skillv1.0.0
VirusTotal security
My Generate Qr Code · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:53 AM
- Hash
- 400e980f2d4dfdeca5ab39deefa79f580aa8402f55a7f2c9ae7f94f14eedfa3f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: my-generate-qr-code Version: 1.0.0 The skill is classified as suspicious due to a critical arbitrary file write vulnerability in `agent.py`. The `save_path` parameter in the `generate_qr` function is directly used to save the image without sufficient sanitization or restriction, allowing an attacker to potentially write files to arbitrary locations on the filesystem via prompt injection against the agent. Additionally, the `install_dependencies` function uses `subprocess.check_call` to install packages, which, while used for legitimate dependencies here, represents a risky capability for executing external commands.
- External report
- View on VirusTotal