QRCode
v1.0.1Generate styled QR codes (SVG/PNG/JPG) from user input. Supports custom module color, background, dot shape and eye shape, and many output options.
⭐ 2· 903·5 current·5 all-time
by@hexavi8
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code and dependencies (Node + qrcode + sharp). The included script implements QR generation and styling. Minor inconsistency: registry 'Requirements' reported no required binaries, while SKILL.md metadata correctly lists node and packages; this is an administrative mismatch but doesn't indicate malicious behavior.
Instruction Scope
Runtime instructions are scoped to generating and displaying QR image files, saving outputs to the workspace root, and offering regeneration. The SKILL.md does not instruct reading unrelated files, exfiltrating data, or accessing credentials. The agent is told to display generated files (expected).
Install Mechanism
No formal install spec in registry, but package.json exists and SKILL.md tells the user to run 'npm install'. Dependencies are from npm (qrcode, sharp). This is expected for the functionality, but sharp is a native module that may download prebuilt binaries or build from source during npm install—this is normal but increases install-time surface (network access, native build tools).
Credentials
The skill declares no environment variables, no credentials, and the code does not access external secrets. All required inputs are passed as command-line options. No disproportionate credential or config access was requested.
Persistence & Privilege
Skill does not request always:true and does not persist or modify other skills. It writes only to sanitized filenames in the resolved workspace root and includes defenses against symlink/TOCTOU attacks.
Assessment
This skill appears to do what it says: generate QR codes. Before installing/running: 1) Ensure Node is available on the agent host (SKILL.md expects 'node'); 2) Be aware 'npm install' will fetch qrcode and sharp from the npm registry—sharp may require native build tools or download prebuilt binaries (network access and build tools may be needed); 3) Confirm how WORKSPACE_ROOT is resolved in your environment (the script computes it as three directories up from the script location); outputs are strictly limited to the script's resolved workspace root and filenames are sanitized, but verify that matches your expected workspace; 4) Note that QR codes encode user-provided data — avoid generating/redistributing codes that point to malicious URLs or include secrets; 5) The registry metadata omission of the 'node' runtime is an administrative inconsistency — consider verifying the SKILL.md metadata and package.json before use. Overall this looks coherent and appropriate for its stated purpose.Like a lobster shell, security has layers — review code before you run it.
generatorvk974rtcda0brm0drky6ead0yz581n6byimagevk974rtcda0brm0drky6ead0yz581n6byjpgvk974rtcda0brm0drky6ead0yz581n6bylatestvk974rtcda0brm0drky6ead0yz581n6bynodevk974rtcda0brm0drky6ead0yz581n6bypngvk974rtcda0brm0drky6ead0yz581n6byqrvk974rtcda0brm0drky6ead0yz581n6byqrcodevk974rtcda0brm0drky6ead0yz581n6bysvgvk974rtcda0brm0drky6ead0yz581n6by
License
MIT-0
Free to use, modify, and redistribute. No attribution required.