Cli Qr Refiner

Security checks across malware telemetry and agentic risk

Overview

This skill is a local QR-code text-to-image converter with minor handling precautions for QR data.

Reasonable to install for converting terminal QR blocks into PNG images. Use it only on QR content you intend to scan, store temporary QR text in a private temp file, delete the temp file and generated image when no longer needed, and treat login or account-linking QR codes like short-lived secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs agents to write captured terminal QR data to a temporary file without any guidance on sensitivity, retention, or secure handling. QR codes used in CLI flows often encode login sessions, device pairing tokens, or other short-lived secrets, so storing them in predictable temp locations can expose credentials to other local users, logs, or later processes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal