ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

我的二维码生成技能

v1.0.0

生成文本、URL或WiFi信息的二维码,支持自定义尺寸、颜色,二维码图片保存到指定路径,默认为桌面。

0· 446·3 current·4 all-time
by杨振甫@yangzhenfu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (generate QR codes, customize size/color, save to path) align with the bundled SKILL.md and agent.py. The code implements generate_qr(text,size,color,save_path) and uses qrcode/Pillow as described—no unrelated services or credentials are requested.
Instruction Scope
SKILL.md and agent.py stay within the stated purpose. The skill writes image files to disk (user-specified path or Desktop) and will create directories if missing — this is necessary for saving output. One minor note: the code reads the USERPROFILE environment variable when choosing the Windows desktop path (os.environ["USERPROFILE"]) but the registry metadata declares no env vars; this is a small implementation detail rather than a scope creep.
Install Mechanism
There is no install spec in the registry; instead agent.py attempts to auto-install missing dependencies at runtime using subprocess.check_call([sys.executable, "-m", "pip", "install", package]). Installing from PyPI at runtime is common but has moderate risk (network fetch, executing package install hooks). This behavior is expected for a Python instruction-only skill but consider pre-installing or pinning versions.
Credentials
The skill does not request credentials or config paths. It does read USERPROFILE (for Windows desktop path) and uses os.path.expanduser on other OSes; this is proportional to the need to compute a default save location. No other environment variables or secrets are accessed or transmitted.
Persistence & Privilege
The skill is user-invocable, not always-enabled, and does not modify other skills or global agent settings. It writes files only to user-specified locations (or default Desktop) and does not request persistent elevated privileges.
Assessment
This skill appears to do what it claims: generate and save QR images. Before installing/using: (1) be aware the Python file will try to pip-install 'qrcode' and 'pillow' at runtime — if you prefer, install these packages yourself in a virtual environment or pin versions; (2) the skill will write files to the path you specify (defaults to your Desktop) and will create directories as needed—avoid giving paths you don't want modified; (3) running code that performs pip installs fetches code from PyPI (network) so run in a controlled environment if you are concerned; (4) if you want extra safety, review the agent.py source locally and run it in a sandboxed/python venv before granting broader access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f79v3mm6ce08tkeh0jcsg6181zg31

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments