Back to skill
Skillv1.0.3
ClawScan security
QR Code Generation And Recognition - 二维码生成识别 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 9:51 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested environment variable match its stated purpose (calling the JisuAPI QR code endpoints); nothing requests unrelated credentials or performs unexpected I/O or network calls.
- Guidance
- This skill will send any text or image data you provide to the third‑party JisuAPI service (api.jisuapi.com) using the JISU_API_KEY you set — do not send sensitive secrets or private images unless you trust that service. Ensure you understand JisuAPI's billing/rate limits and privacy policy. Operationally, the script requires the Python 'requests' package to be present; install it if needed (pip install requests). Finally, review that you are comfortable granting a single AppKey (JISU_API_KEY) to this skill before installing or invoking it.
Review Dimensions
- Purpose & Capability
- okName/description describe QR code generation/recognition via JisuAPI and the skill only requires python3 and JISU_API_KEY, which are appropriate and expected for that integration.
- Instruction Scope
- okSKILL.md and the script only instruct the agent to call JisuAPI endpoints for generate/read/template operations and to read the JISU_API_KEY env var; they do not instruct reading unrelated files, other env vars, or contacting other endpoints.
- Install Mechanism
- noteNo install spec (instruction-only) — lowest risk. One operational caveat: the script imports the third-party 'requests' Python package but the skill metadata does not declare installing it; this is an availability/operational issue, not a security concern.
- Credentials
- okOnly a single credential (JISU_API_KEY) is required and used as the AppKey parameter to the documented JisuAPI endpoints; this is proportional to the stated functionality.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or persistent platform privileges or modify other skills; autonomous invocation is allowed by default but is not combined with other concerning behaviors.