Advanced QR Intelligence
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious QR code could contain misleading instructions or unsafe links if the agent treats decoded text as authoritative.
The reader returns arbitrary QR payload text directly to the user/agent. This is purpose-aligned, but QR contents can be untrusted text or URLs.
'data': obj.data.decode('utf-8', errors='replace') ... print(results[0]['data'])Treat decoded QR content as untrusted data; do not automatically follow links or obey instructions embedded in QR payloads.
If given an unsafe output path, the tool could overwrite a local file with a QR image.
The generator writes to the output path supplied at invocation time. This is expected for QR generation, but the path should be chosen carefully to avoid overwriting unintended files.
parser.add_argument('output', help='Output file path (PNG)') ... img.save(output_path)Use explicit, safe output filenames in a working directory intended for generated QR images.
Installing dependencies from package managers adds normal supply-chain exposure if packages or system libraries are not obtained from trusted sources.
The skill discloses manual third-party package and system-library installation steps, but they are not pinned in an install spec. These dependencies are purpose-aligned for QR/image handling.
pip install qrcode pillow ... pip install pillow pyzbar ... macOS: `brew install zbar` ... Linux: `apt install libzbar0`
Install from trusted package repositories, prefer a virtual environment, and consider pinning dependency versions if reproducibility matters.