Back to skill
Skillv1.0.0
ClawScan security
QR Code Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 24, 2026, 12:32 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill's code and instructions match its stated purpose (local QR code generation); it requires only a standard Python package and does not request credentials or perform network exfiltration.
- Guidance
- This skill appears coherent and limited to generating QR PNGs locally. Before installing or running: (1) be aware you will be asked to install the qrcode/Pillow package from PyPI (standard but subject to normal supply-chain risks) — consider reviewing the package or using a virtualenv; (2) generated WiFi QR codes embed plaintext SSIDs/passwords — avoid creating/sharing QR codes that expose sensitive network credentials; (3) the script saves to disk (defaults to ~/qrcode_output.png) and may overwrite files if you reuse the same path; (4) if you need higher assurance, inspect the included scripts (already provided) and run them in an isolated environment. Overall the skill is internally consistent and does what it claims.
Review Dimensions
- Purpose & Capability
- okName/description describe QR code generation and the included script implements text, WiFi, and vCard QR generation only. Required tools (Python qrcode and PIL) are appropriate and proportional to the stated purpose.
- Instruction Scope
- okSKILL.md instructs local generation and saving of PNG files and the script only reads command-line args and writes image files. There are no instructions to read unrelated files, access credentials, or call external endpoints.
- Install Mechanism
- noteThere is no automated install spec (instruction-only), but SKILL.md asks the user to run `pip3 install qrcode[pil]` (or apt). This is expected for a Python script; installing from PyPI is normal but carries the usual supply-chain risk of third-party packages.
- Credentials
- okThe skill requests no environment variables, no credentials, and the script does not access environment secrets or configuration files. All inputs come from CLI arguments.
- Persistence & Privilege
- okalways is false and the skill does not modify other skills or system-wide configuration. It does not persist secrets or register itself persistently.