Qr Campaign Studio

Security checks across malware telemetry and agentic risk

Overview

This QR skill mostly does what it advertises, but it can expose Wi-Fi passwords in metadata/log output and batch filenames can write outside the selected output folder.

Review before installing. Use only trusted batch CSV/JSON files, avoid path separators in batch names, use a dedicated output directory, and treat generated images, metadata files, and terminal logs as sensitive when creating Wi-Fi or contact QR codes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: When generating Wi-Fi QR codes, the script embeds the SSID/password into the QR payload, saves the QR image to disk, and prints/writes metadata including a payload preview. That behavior can leak sensitive network credentials into logs, artifact stores, terminal history capture, or metadata files, especially in an agent or batch-processing environment where outputs are retained or shared.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal