Back to skill
Skillv1.0.0
ClawScan security
QR Code Tool · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 1:37 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only QR code generator whose requirements and instructions match its stated purpose and do not request unrelated credentials or system access.
- Guidance
- This skill is instruction-only and appears coherent. Before running the code: (1) verify and run examples locally in a safe environment (you’ll need Python and pip), (2) review any inputs you pass (e.g., WiFi passwords or contact details) so you do not accidentally expose secrets, and (3) install the qrcode[pil] package from PyPI using pip in a virtualenv to avoid affecting your system Python. If the skill came from an unknown source, inspect the SKILL.md yourself before use.
Review Dimensions
- Purpose & Capability
- okThe name/description (QR code generation for URLs, WiFi, vCards, styled images, batch jobs) aligns with the provided instructions and examples. All code samples and the listed dependency (qrcode[pil]) are appropriate for this functionality.
- Instruction Scope
- okSKILL.md only contains local code examples (Python) that create image files, compose QR payloads (including WiFi/vCard formats), and manipulate images. The instructions do not read unrelated files, environment variables, or send data to external endpoints.
- Install Mechanism
- okThere is no install spec and no downloads; the doc recommends installing the public pip package qrcode[pil], which is proportionate for the stated functionality. No extracted archives or external URLs are used.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. Examples accept sensitive inputs (e.g., WiFi password) but those are user-supplied and not read from the environment.
- Persistence & Privilege
- okSkill is not always-enabled and does not request persistent privileges or modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with any elevated access.