Qr Campaign Studio
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its QR-code purpose, but batch inputs can make it write outside the chosen output folder and metadata can expose QR contents such as WiFi passwords.
Install only if you are comfortable running local Python scripts and managing the generated files. Use a dedicated output folder, avoid untrusted batch CSV/JSON files, and treat QR images, metadata, and logs as sensitive when generating WiFi or contact QR codes.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you process an untrusted batch file, it could create or overwrite PNG/JSON files outside the folder you chose for QR output.
The batch row name comes directly from CSV/JSON input and is joined into output paths without rejecting path separators or traversal. A crafted batch file could place generated files outside the intended output directory.
name = (row.get('name') or f'item-{i}').strip()
out = os.path.join(args.output_dir, f'{name}.png')
meta_out = os.path.join(args.output_dir, f'{name}.meta.json')Use only trusted batch files. The skill should sanitize names to safe basenames and verify resolved output paths remain inside the requested output directory.
Sensitive information encoded in a QR code may also appear in terminal output, agent logs, or metadata files, not only in the QR image itself.
The generated metadata includes a preview of the QR payload and prints it to stdout. For WiFi QR codes, that preview can include the WiFi password; for vCards, it can include personal contact details.
return f"WIFI:T:{security};S:{ssid};P:{password};H:{str(hidden).lower()};;" ... "payload_preview": payload[:120], ... print(json.dumps(meta, ensure_ascii=False))Avoid using this skill for secrets unless you can secure all outputs. The skill should redact payload previews for WiFi/vCard content or make sensitive metadata output an explicit opt-in.