Back to skill

Security audit

QR Code Generator

Security checks across malware telemetry and agentic risk

Overview

This QR-code skill appears purpose-aligned, but users should control the output filename and avoid sensitive input.

Install only if you are comfortable with it creating a local PNG. Use a specific output path, avoid overwriting important files, and do not encode secrets or private credentials in QR codes. Agents using this skill should pass text and filenames safely rather than interpolating them into shell commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill explicitly directs the agent to create and save a local PNG file, with a default filename in the current working directory, but does not require user confirmation or safeguards against overwriting an existing file. In an agent setting, silent file creation can cause unintended side effects, clobber user files, or leave artifacts on disk even when the task appears low risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal