Qr Campaign Studio
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you process an untrusted batch file, it could create or overwrite PNG/JSON files outside the folder you chose for QR output.
The batch row name comes directly from CSV/JSON input and is joined into output paths without rejecting path separators or traversal. A crafted batch file could place generated files outside the intended output directory.
name = (row.get('name') or f'item-{i}').strip()
out = os.path.join(args.output_dir, f'{name}.png')
meta_out = os.path.join(args.output_dir, f'{name}.meta.json')Use only trusted batch files. The skill should sanitize names to safe basenames and verify resolved output paths remain inside the requested output directory.
Sensitive information encoded in a QR code may also appear in terminal output, agent logs, or metadata files, not only in the QR image itself.
The generated metadata includes a preview of the QR payload and prints it to stdout. For WiFi QR codes, that preview can include the WiFi password; for vCards, it can include personal contact details.
return f"WIFI:T:{security};S:{ssid};P:{password};H:{str(hidden).lower()};;" ... "payload_preview": payload[:120], ... print(json.dumps(meta, ensure_ascii=False))Avoid using this skill for secrets unless you can secure all outputs. The skill should redact payload previews for WiFi/vCard content or make sensitive metadata output an explicit opt-in.