PicSee URL Shortener & QR Codes (Web)

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it shortens URLs with PicSee and only installs local QR-code dependencies if the user asks for a QR code.

Install only if you are comfortable sending URLs to PicSee. If you are logged into PicSee in the OpenClaw browser profile, shortened links may be associated with that account. Only request QR-code generation if you accept creating a local Python virtual environment and installing the qrcode and pillow packages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to create a virtual environment, install packages, and execute shell/Python code locally just to generate a QR code. That expands the skill from simple web interaction into arbitrary local code execution and dependency installation, which increases attack surface and can be abused or normalized in contexts where such execution is not necessary.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal