Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
QR Code Generator
v1.0.0A precision utility to generate QR code images from URLs or text using Python.
⭐ 0· 418·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (generate QR codes) align with the declared requirements: python3 and the qrcode[pil] library. No unrelated binaries, env vars, or config paths are requested.
Instruction Scope
The SKILL.md instructs the agent to execute a python one-liner that directly embeds user text: python3 -c "... img.add_data('USER_TEXT_HERE') ...". If the agent substitutes user input into that literal without proper escaping, this enables code/command injection or runtime errors for inputs containing quotes/newlines. The instructions also tell the agent to run pip install qrcode[pil] at runtime if missing — which downloads and executes third-party code. Neither of these behaviors is inherently required for QR generation but are risky without safeguards (escaping, using files/stdin, preinstalling dependencies, or verifying package provenance).
Install Mechanism
There is no install spec (instruction-only), which is low-risk. However, the runtime behavior relies on pip to fetch qrcode[pil] if absent; on-demand pip installs pull external packages and can introduce supply-chain risk. The README references an install via ClawHub/GitHub but the skill's source/homepage are unknown.
Credentials
The skill requests no environment variables, credentials, or config paths, which is appropriate for a local QR generator. The README mentions Wi‑Fi credentials as example input (user-provided content) — that is a data-sensitivity concern for the user but not an environment/credential request by the skill.
Persistence & Privilege
always is false and the skill does not request persistent presence or modify other skills or system-wide settings. It writes output files to the current working directory, which is expected for this function.
What to consider before installing
This skill appears to do what it says (generate QR codes) but exercise caution before installing or using it: 1) The SKILL.md suggests running a python -c one-liner that embeds user text directly — ensure the agent escapes or sanitizes input (or use safer approaches like writing the text to a temporary file and passing the filename to Python) to avoid code injection. 2) The skill will attempt pip install qrcode[pil] at runtime if the library is missing — verify package provenance and, where possible, pre-install dependencies in a controlled environment to avoid unexpected downloads. 3) The README references a ClawHub/GitHub install but the published source/homepage are unknown; prefer skills with verifiable source. 4) Be mindful that output files are written to the agent's working directory and that you should avoid submitting sensitive secrets (e.g., Wi‑Fi passwords) unless you trust the environment. If you want higher assurance, ask for the skill's source repository or a packaged release (so you can review code and dependency requirements) and request the one-liner be replaced with a safer implementation that properly escapes input.Like a lobster shell, security has layers — review code before you run it.
latestvk97dax7jwf3eqxzzhy8m04ytm981t29r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3