Qrcode Generator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill coherently generates a QR-code PNG from user-provided text, with only minor cautions about local file output, echoed input, and an undeclared npm dependency.
This appears safe for ordinary QR-code generation. Before installing or using it, note that it writes a PNG file to disk, may overwrite an existing output file, prints the encoded content in plain text, and depends on an npm package that is not pinned in the provided artifacts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A QR image will be saved locally, and choosing an existing or sensitive output path could replace a file.
The script writes the generated QR image to a caller-provided path or a default local file. This is purpose-aligned, but it can create directories and overwrite an existing file at that path.
const output = outputPath || path.join(process.cwd(), 'qrcode.png'); ... fs.writeFileSync(output, buffer);
Use a safe output filename in a working directory you control, and avoid pointing the output at existing important files.
If the dependency is not already available, installation choices could affect reliability or dependency provenance.
The script relies on the qrcode npm package, but the provided artifacts include no package.json, lockfile, or install spec pinning the dependency version or source.
const QRCode = require('qrcode');Prefer a reviewed, pinned dependency installation if you need to install the qrcode package for this skill.
Sensitive text encoded into a QR code could also appear in plain text in the session output.
The script prints the exact QR content to console output, which may become part of the agent transcript or logs. This matters if the QR encodes sensitive data such as WiFi credentials or payment information.
console.log(`Content: ${text}`);Avoid encoding secrets unless you are comfortable with the text appearing in local command output or conversation history.