Back to skill
Skillv1.0.4
ClawScan security
Local QR Code Generation And Recognition Not Require An API_KEY - 本地二维码生成与识别 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 9:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with a local QR-code generator/decoder that runs with python3 and local Python packages; nothing indicates hidden network calls or unrelated credential access.
- Guidance
- This skill appears to do exactly what it claims: generate and decode QR codes locally. Before installing or running it, install the recommended Python packages from a trusted source (pip install "qrcode[pil]" opencv-python), and run the script in a directory where writing image files is acceptable. Note the script writes/reads files relative to the current working directory (absolute paths are blocked). The provided qrcode.py file appears duplicated/truncated in the package listing — consider fetching a clean, single-copy version from a trusted repository or asking the publisher to confirm the file integrity before use.
Review Dimensions
- Purpose & Capability
- okName/description request Python and local QR libraries only; the code imports qrcode and opencv (cv2) and performs only encode/decode operations. No unrelated credentials, binaries, or services are required.
- Instruction Scope
- noteSKILL.md instructs running the included Python script with JSON args; the script only reads/writes files within the current working directory (it enforces no absolute paths and blocks leading '..'). This stays within the stated purpose. Note: the skill writes output files to the working directory and will read any image file path you provide, so choose the working directory carefully.
- Install Mechanism
- okThere is no install spec; SKILL.md suggests installing dependencies via pip (qrcode[pil], opencv-python). No external downloads or opaque install URLs are used.
- Credentials
- okThe skill requests no environment variables or credentials. Its dependency needs (Python packages) are proportional to QR generation/recognition.
- Persistence & Privilege
- okSkill is not always-enabled and is user-invocable. It does not modify other skills or system configuration; it only reads/writes files under the agent's working directory.