ClawHub

qr-code-toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a local QR-code utility whose main risk is that QR images and terminal output can expose whatever sensitive data the user chooses to encode.

Install only if you are comfortable running a local bash helper for QR work. Avoid using real WiFi passwords unless you intend to share them, prefer guest or temporary credentials, and delete or protect generated QR images that contain WiFi credentials, contact details, tokens, or other private data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README demonstrates generating a WiFi QR code using a plaintext password but does not warn that the resulting QR image encodes reusable network credentials. Users may share, store, or expose the image or shell history without realizing it contains sensitive access data, which can lead to unauthorized network access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly supports generating WiFi and vCard QR codes from secrets and personal data, but it does not warn that the encoded contents may include passwords, phone numbers, and email addresses and that resulting image files are persisted to disk. This creates a realistic risk of accidental disclosure through shared workspaces, backups, screenshots, or later reuse of the saved QR images, especially because QR contents are easily machine-readable by anyone with access to the file.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The WiFi QR feature embeds the supplied SSID and password into a PNG file on disk with a predictable location and filename, but gives no warning that sensitive credentials are being persisted. In an agent or shared workstation context, that file can be accessed later by other local users, backup systems, sync tools, or logs/output history, exposing network credentials beyond the user's immediate intent.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The QR reader prints decoded contents directly to the terminal without any sensitivity check or warning. If the QR contains secrets, tokens, WiFi credentials, or terminal control sequences, this can expose confidential data to shell history capture, session logs, shoulder-surfing, or cause terminal injection-style display issues depending on the terminal environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal