ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

QR Code

v1.0.1

Generate, decode, and beautify QR codes with customizable colors, logos, and formats. Works across all OpenClaw channels including WhatsApp.

2· 961·2 current·2 all-time
by@zouyawen
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the operations described (generate, decode, beautify). Requested Python packages (qrcode[pil], pillow, numpy, pyzbar) are consistent with QR generation/decoding. Minor inconsistencies: SKILL.md claims it leverages a built-in 'qr_code_operations' tool yet also requires a 'companion plugin' from GitHub for advanced features; file path conventions use both ~/.openclaw and ~/clawd which is inconsistent and could confuse installation or imply different workspace roots.
!
Instruction Scope
The SKILL.md explicitly instructs users to fetch and run a remote install script (curl -s https://raw.githubusercontent.com/.../install.sh | bash) and to restart the gateway. That action grants the remote script full execution on the machine. The instructions reference workspace file locations and ask users to place logos under a workspace directory (reasonable), and include validations (no '..'), but do not provide the install.sh contents or hashes to verify integrity. Basic install instructions also reference an unspecified 'skill.zip' from 'ClawHub' without a download URL.
!
Install Mechanism
There is no formal install spec in the registry, only prose recommending running a remote install script piped to bash from GitHub raw. While GitHub is a known host, piping remote scripts to a shell is high risk because the script could perform arbitrary changes, install additional packages, or run network calls. The SKILL.md claims the script will install Python packages automatically (allowed packages listed), but the script itself was not provided for review nor accompanied by a checksum or release tag to validate authenticity.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The requested Python packages are proportionate to QR generation/decoding. There is no evidence the skill asks for unrelated credentials or secrets.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. The install instructions suggest writing files into user directories (~/.openclaw, ~/clawd) and restarting the gateway — normal for a plugin — but this implies the installer script will modify local files/services, so users should verify what the script does before running it.
What to consider before installing
This skill appears to do what it says (QR generation/decoding), but the installation guidance asks you to run a remote install script piped to bash and to restart the OpenClaw gateway. Running unknown scripts is risky. Before installing: 1) Inspect the GitHub repo and read install.sh (do not run it blind); verify the repo owner, commit history, and open-source license. 2) Prefer installing dependencies via your system/package manager rather than a curl|bash pipeline. 3) If you must run the script, verify a commit/tag and checksum, or run it inside a disposable VM or container. 4) Confirm which directories the installer will modify (the SKILL.md uses both ~/.openclaw and ~/clawd) and back up any important data. If you want, provide the install.sh contents or the GitHub repo URL and I can help review the script for suspicious actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk972nspdpwenajmbepc9mpk7p1810ezh
961downloads
2stars
2versions
Updated 8h ago
v1.0.1
MIT-0
@zouyawen
latest
Download

QR Code Skill

⚠️ This skill requires the companion plugin to function!

🚀 Quick Start

💎 Recommended: Full Feature Installation

For the complete experience with rounded dots, gradient colors, logo integration, and natural language support, install from GitHub:

curl -s https://raw.githubusercontent.com/zouyawen/openclaw-qrcode/main/install.sh | bash
openclaw gateway restart

Basic Installation (from ClawHub)

This provides basic QR code functionality only:

mkdir -p ~/.openclaw/skills/qr-code
# Extract the downloaded skill.zip to this directory
openclaw gateway restart

💡 Pro Tip: The GitHub installation includes advanced features like rounded dots, color gradients, and logo embedding that aren't available through ClawHub alone!

Features

  • Generate: Create QR codes with custom colors, background, size, logo overlay, and format (PNG, JPG, SVG)
  • Decode: Extract data from QR code images
  • Beautify: Enhance existing QR codes with new styling while preserving data
  • Natural Language: Just say "make a colorful QR code" or "add a logo to this QR code"
  • Cross-channel compatibility: Works seamlessly across all OpenClaw channels including WhatsApp, Telegram, Discord, etc.
  • Automatic format handling: Converts formats as needed for channel compatibility
  • Enhanced security: Path traversal protection, input validation, and secure error handling
  • WhatsApp optimization: Automatic SVG-to-PNG conversion for WhatsApp compatibility

Security Features

  • Path traversal protection: Logo paths are validated to prevent directory traversal attacks
  • Input sanitization: All color, size, and format parameters are strictly validated
  • Secure error handling: Comprehensive try-catch blocks prevent information leakage
  • File access restrictions: Only allows access to files within the workspace directory

Usage Examples

Natural Language (Recommended)

  • "生成一个圆点的渐变色二维码,内容是 https://example.com"
  • "在二维码中间加个 logo"
  • "用蓝色和黄色做渐变效果"
  • "这个二维码图片里是什么内容?" (attach image)

Command Mode (Optional)

/qr generate https://mzt315.com color=red backgroundColor=white size=10 format=png
/qr decode [attach QR code image]  
/qr beautify [attach QR code image] color=green backgroundColor=black size=12

With Logo (Secure)

/qr generate https://mzt315.com logoPath=logo.png

Note: Logo paths must be relative to the workspace and cannot contain .. or absolute paths.

File Locations

  • QR Code Output: ~/clawd/qr-codes/
  • Logo Assets: ~/clawd/qr-assets/ (place your logo files here)

WhatsApp Compatibility

  • Automatically handles WhatsApp's format requirements (PNG/JPG only)
  • Automatic SVG-to-PNG conversion: If SVG is requested on WhatsApp, it's automatically converted to PNG
  • Returns MEDIA paths that can be sent directly to any channel
  • Optimized for mobile viewing with appropriate sizing

Input Validation

  • Colors: Must be valid CSS color names or hex codes (e.g., "red", "#FF0000")
  • Background Colors: Same validation as colors
  • Size: Must be a number between 1 and 50 (inclusive)
  • Format: Must be one of: png, jpg, jpeg, svg
  • Logo Path: Must be a relative path within the workspace directory

Installation Requirements

This skill works best with the companion plugin from GitHub:

# Full feature installation (recommended)
curl -s https://raw.githubusercontent.com/zouyawen/openclaw-qrcode/main/install.sh | bash

# Python dependencies (installed automatically by the script)
# qrcode[pil], pillow, numpy, pyzbar

Technical Details

This skill leverages OpenClaw's built-in qr_code_operations tool which supports both Python-based advanced features and Node.js fallback for maximum compatibility across different environments. All operations include comprehensive error handling and security validation.

Comments

Loading comments...