我的二维码生成技能
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to generate QR codes as described, but it can automatically run pip install commands when loaded, so it needs review before use.
Only install this if you are comfortable with it writing QR image files locally and with its Python dependency behavior. Prefer preinstalling pinned qrcode/Pillow versions through a trusted package manager, or remove the auto-install block before enabling the skill.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may run package-install commands and potentially change the agent's Python environment before or during QR generation.
The dependency installer is called at module load and can run pip automatically for unpinned packages, despite the supplied install spec saying there is no install mechanism.
subprocess.check_call([sys.executable, "-m", "pip", "install", package]) ... install_dependencies()
Move dependency installation into a reviewed install spec, pin trusted package versions, and require user/admin approval before running pip.
A QR image file will be created locally and may overwrite an existing file at the chosen path.
The function writes the generated QR image to a default or user-specified local path and creates missing directories. This is expected for the skill, but it affects the local filesystem.
if not save_path: ... "~/Desktop/qr_code.png" ... os.makedirs(save_dir) ... img.save(save_path)
Use an explicit, trusted save path and avoid pointing the skill at protected or important existing files.