ClawHub
Back to skill
v1.0.0

我的二维码生成技能

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:09 AM.

Analysis

The QR-code function is coherent, but the skill attempts to run automatic pip installs from its code, so it should be reviewed before installation.

GuidanceReview this skill before installing. The QR generation behavior is straightforward, but consider preinstalling qrcode and Pillow yourself from trusted, pinned versions or removing the automatic pip install logic. Also choose output paths carefully to avoid overwriting files.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityMediumConfidenceHighStatusConcern
agent.py
except ImportError:
    subprocess.check_call([sys.executable, "-m", "pip", "install", package])
...
# 初始化:安装依赖库
install_dependencies()

The module attempts to run pip installation commands automatically when loaded, rather than only during an explicit user-approved setup step.

User impactInstalling or invoking the skill may modify the local Python environment and contact package repositories before the user has clearly approved that action.
RecommendationRemove the automatic install call or move dependency installation into an explicit install step with user approval and pinned package versions.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
agent.py
if not save_path:
    save_path = os.path.expanduser("~/Desktop/qr_code.png")
...
if not os.path.exists(save_dir):
    os.makedirs(save_dir)
...
img.save(save_path)

The skill saves generated images to disk and creates the destination directory if missing; this matches the stated QR export purpose but still changes local files.

User impactA chosen save path could create directories or overwrite an existing file at that path.
RecommendationUse a non-sensitive output folder and confirm the destination filename before generating QR codes.