Back to skill
Skillv1.1.1
VirusTotal security
Generate Qrcode · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:34 AM
- Hash
- dc1cd4bc0b3f49e6d95895fa6e6fb2edc15f2b07891bc3ce070e44454abd62a6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: qrcode-gen-yn Version: 1.1.1 The skill bundle's `agent.py` script is designed to generate QR codes and save them to a user-specified path. However, it exhibits a path traversal vulnerability as it directly uses the `output_file` argument for `img.save()` and `os.makedirs()` without proper sanitization. This allows an attacker to write files to arbitrary locations on the filesystem (e.g., `../../../../tmp/malicious.png`), which could lead to unauthorized file modification or creation outside the intended skill directory. While not explicitly malicious in intent, this vulnerability poses a significant security risk.
- External report
- View on VirusTotal