ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

萤火蓝二维码工具

v1.0.0

生成包含文本、URL或WiFi信息的二维码,支持自定义尺寸、颜色及保存路径,默认保存到桌面。

0· 91·1 current·1 all-time
by@lanxianghua
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (生成二维码/条形码) matches the SKILL.md and the code. The code implements generate_qr(text,size,color,save_path) and saves an image file; no extraneous permissions, binaries, or credentials are requested.
Instruction Scope
SKILL.md instructs extracting content/size/color/save_path and calling generate_qr. The implementation follows that and only performs QR generation, image resizing, directory creation, and file writes. It does not read unrelated files or exfiltrate data. Note: the skill will attempt to install Python packages at runtime (network activity to PyPI).
Install Mechanism
There is no formal install spec, but scripts/agent.py runs install_dependencies() at import time and invokes pip via subprocess to install 'qrcode' and 'pillow'. These are well-known PyPI packages (expected for this task), but runtime pip installs cause network activity and execute code fetched from the public package index—this is a moderate operational risk to be aware of.
Credentials
The skill declares no required env vars or credentials. The code reads USERPROFILE (Windows) to compute a default desktop path, which is proportionate to its stated behavior. No secrets, tokens, or unrelated environment variables are requested or accessed.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide agent settings. It only writes image files to the filesystem (user-specified or desktop) and does not request persistent elevated privileges.
Assessment
This skill appears to do only QR generation and saving, but consider the following before installing: (1) The code auto-installs Python packages via pip at runtime which will contact PyPI—if you require strict offline or audited installs, install dependencies yourself and/or remove the auto-install; (2) The skill writes files to your filesystem (default: Desktop) — ensure you are comfortable with that path or specify a different save location with appropriate permissions; (3) The source and homepage are unknown — if you prefer, review the included scripts/agent.py locally or run the skill in an isolated environment (virtualenv/VM/container) before granting it use in a production agent; (4) If you have corporate policy about third-party packages, preinstall qrcode and Pillow from approved mirrors and disable the auto-install behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a1cb7pqt7x1pn9bmeagw09583djyd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments