Infoxmed Qr Generator
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill likely does what it says, but it asks for and stores an Infoxmed API password and can create high-use membership activation QR codes, so it needs review before use.
Use this only if you trust the skill publisher and are authorized to generate Infoxmed VIP activation QR codes. Prefer configuring the password yourself through a secure secret mechanism, confirm every parameter including scan count before the API call, and avoid using the 9999 default unless it is truly intended.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A service password with authority over Infoxmed QR generation may be handed to the agent and used for business-impacting actions.
The skill requires and collects an Infoxmed API password that can authorize membership QR generation, even though the registry metadata declares no primary credential or required environment variable.
`password`: Read from environment variable `INFOXMED_VIP_PASSWORD`. If not set, **stop and tell the user** to configure it ... Ask the user: "检测到 INFOXMED_VIP_PASSWORD 未配置,请提供你的接口密码,我来帮你自动配置。"
Only use this if you trust the publisher and are authorized for the Infoxmed account. The skill should declare the credential requirement and prefer a scoped secret store over ad-hoc password collection.
The password may remain on the computer across sessions and could be exposed to anyone or anything that can read the user's shell profile or environment.
The setup flow modifies shell profile files or the Windows user environment to persist the password, without a separate explicit opt-in, cleanup path, or safer secret-storage guidance.
echo 'export INFOXMED_VIP_PASSWORD="USER_PROVIDED_PASSWORD"' >> "$PROFILE" ... [System.Environment]::SetEnvironmentVariable("INFOXMED_VIP_PASSWORD", "USER_PROVIDED_PASSWORD", "User")Ask for explicit consent before persisting secrets, explain where they will be stored, provide removal instructions, and consider a secure credential manager instead.
A mistaken or unauthorized request could create QR codes that activate many memberships or scans.
The skill can call a QR generation API with a default of 9999 scans for multi-use cards, with no documented cap, authorization check, or clearly required final approval after the parameter display.
else:
vipCarType = 2, times = user_specified or 9999 ... `https://api.infox-med.com/system/batchGenerateVipQr?...&vipCarType={vipCarType}×={times}`Require an explicit user-confirmed scan count and final approval before every API call, add safe upper bounds, and verify the requester is authorized for the hospital and business channel.
It is harder to verify that the skill is maintained by, or legitimately affiliated with, Infoxmed.
The skill has sparse provenance information, which matters because it instructs users to provide a service password and contact a business API.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Verify the publisher and API documentation before providing credentials or using the generated QR codes operationally.