Back to skill
Skillv1.0.0
VirusTotal security
我的二维码生成技能 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:46 AM
- Hash
- fd77f125f37ac8349cc7c40f6426130bcad686aa1b622e2c83c9768fe85fb2f8
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: generate-qr-code Version: 1.0.0 The skill is classified as suspicious due to two main reasons in `agent.py`. First, it uses `subprocess.check_call` to automatically install dependencies (`qrcode`, `pillow`). While the package names are hardcoded, this demonstrates the ability to execute arbitrary system commands, which is a powerful primitive that could be exploited if the package names were dynamic or if the `pip` supply chain were compromised. Second, the `generate_qr` function directly uses the `save_path` parameter for file saving and directory creation (`os.makedirs`, `img.save`) without apparent sanitization. This creates an arbitrary file write/path traversal vulnerability, allowing a malicious user to potentially write files to arbitrary locations on the filesystem if the OpenClaw agent does not sanitize user input for `save_path`.
- External report
- View on VirusTotal