Skillv1.0.1

ClawScan security

QR Code · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 12, 2026, 6:43 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (QR generate/decode/beautify) matches the instructions, but the README recommends running an unreviewed remote install script (curl | bash) and has small inconsistencies in paths/claims — proceed with caution and verify the companion plugin before installing.
Guidance: This skill appears to do what it says (QR generation/decoding), but the installation guidance asks you to run a remote install script piped to bash and to restart the OpenClaw gateway. Running unknown scripts is risky. Before installing: 1) Inspect the GitHub repo and read install.sh (do not run it blind); verify the repo owner, commit history, and open-source license. 2) Prefer installing dependencies via your system/package manager rather than a curl|bash pipeline. 3) If you must run the script, verify a commit/tag and checksum, or run it inside a disposable VM or container. 4) Confirm which directories the installer will modify (the SKILL.md uses both ~/.openclaw and ~/clawd) and back up any important data. If you want, provide the install.sh contents or the GitHub repo URL and I can help review the script for suspicious actions.

Review Dimensions

Purpose & Capability: noteName and description match the operations described (generate, decode, beautify). Requested Python packages (qrcode[pil], pillow, numpy, pyzbar) are consistent with QR generation/decoding. Minor inconsistencies: SKILL.md claims it leverages a built-in 'qr_code_operations' tool yet also requires a 'companion plugin' from GitHub for advanced features; file path conventions use both ~/.openclaw and ~/clawd which is inconsistent and could confuse installation or imply different workspace roots.
Instruction Scope: concernThe SKILL.md explicitly instructs users to fetch and run a remote install script (curl -s https://raw.githubusercontent.com/.../install.sh | bash) and to restart the gateway. That action grants the remote script full execution on the machine. The instructions reference workspace file locations and ask users to place logos under a workspace directory (reasonable), and include validations (no '..'), but do not provide the install.sh contents or hashes to verify integrity. Basic install instructions also reference an unspecified 'skill.zip' from 'ClawHub' without a download URL.
Install Mechanism: concernThere is no formal install spec in the registry, only prose recommending running a remote install script piped to bash from GitHub raw. While GitHub is a known host, piping remote scripts to a shell is high risk because the script could perform arbitrary changes, install additional packages, or run network calls. The SKILL.md claims the script will install Python packages automatically (allowed packages listed), but the script itself was not provided for review nor accompanied by a checksum or release tag to validate authenticity.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. The requested Python packages are proportionate to QR generation/decoding. There is no evidence the skill asks for unrelated credentials or secrets.
Persistence & Privilege: noteThe skill does not request always:true and is user-invocable only. The install instructions suggest writing files into user directories (~/.openclaw, ~/clawd) and restarting the gateway — normal for a plugin — but this implies the installer script will modify local files/services, so users should verify what the script does before running it.