Advanced QR Intelligence
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: qr-code Version: 1.0.0 The OpenClaw AgentSkills skill bundle for QR code generation and reading is benign. All files, including the `SKILL.md` instructions and Python scripts (`qr_generate.py`, `qr_read.py`), are clearly aligned with the stated purpose. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, prompt injection attempts against the agent, or obfuscation. The skill uses standard Python libraries (`qrcode`, `pillow`, `pyzbar`) and system package managers for dependencies, without introducing any suspicious components or behaviors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious QR code could contain misleading instructions or unsafe links if the agent treats decoded text as authoritative.
The reader returns arbitrary QR payload text directly to the user/agent. This is purpose-aligned, but QR contents can be untrusted text or URLs.
'data': obj.data.decode('utf-8', errors='replace') ... print(results[0]['data'])Treat decoded QR content as untrusted data; do not automatically follow links or obey instructions embedded in QR payloads.
If given an unsafe output path, the tool could overwrite a local file with a QR image.
The generator writes to the output path supplied at invocation time. This is expected for QR generation, but the path should be chosen carefully to avoid overwriting unintended files.
parser.add_argument('output', help='Output file path (PNG)') ... img.save(output_path)Use explicit, safe output filenames in a working directory intended for generated QR images.
Installing dependencies from package managers adds normal supply-chain exposure if packages or system libraries are not obtained from trusted sources.
The skill discloses manual third-party package and system-library installation steps, but they are not pinned in an install spec. These dependencies are purpose-aligned for QR/image handling.
pip install qrcode pillow ... pip install pillow pyzbar ... macOS: `brew install zbar` ... Linux: `apt install libzbar0`
Install from trusted package repositories, prefer a virtual environment, and consider pinning dependency versions if reproducibility matters.