ClawHub

Qrcode Generator

v1.0.0

Generate QR codes from text, URLs, or data for payments, WiFi sharing, or any task needing a scannable QR code image.

0· 278·2 current·2 all-time
by@shixiaoliuo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included script: a Node.js script that encodes provided text/URLs into a PNG QR code and writes it to disk. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs running the included Node script and returning the output path. The script writes the PNG to the specified path and prints the encoded content to stdout (console). Printing the content may cause the data to appear in logs—this is behavior to be aware of but is aligned with the purpose.
!
Install Mechanism
There is no install spec even though the script requires the 'qrcode' npm package. At runtime the module will fail unless Node and the dependency are installed. Lack of an install step is an operational omission (not an outright threat) but is an incoherence between code and SKILL metadata.
Credentials
The skill requests no environment variables or credentials and the code does not read external secrets. It writes a file to disk (default current working directory or user-supplied path), which is expected for this functionality.
Persistence & Privilege
always is false and the skill does not request persistent presence or modify other skills or system-wide agent settings. It runs as a one-off script and has no autonomous elevation of privileges.
Assessment
This skill appears to be what it claims: a small Node.js QR code generator. Before installing/using it: (1) ensure Node.js is available and run `npm install qrcode` (or add a package.json) — the skill provides no install step; (2) run it in a safe/sandboxed workspace to avoid unintentionally overwriting files (the output path can be any filesystem path you provide); (3) avoid encoding sensitive secrets because the script prints the content to stdout (which may be captured in logs); (4) if you want stricter behavior, remove the console.log that prints the content or restrict output paths. No network calls or credential access were observed in the code.

Like a lobster shell, security has layers — review code before you run it.

latestvk9780axybapjtmj3a2hz9yy62h82ck65

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments