Is anisafifi/qr-code-generator safe?

SKILL.md advertises a prerequisite of installing OpenClawCLI from clawhub.ai. Although clawhub.ai is the OpenClaw platform operator (the same entity hosting these skills), the CLI tool's code and behavior cannot be verified from the skill's own evidence. An agent following these instructions would prompt users to download and install a proprietary binary. If the platform were compromised or the CLI were malicious, this could establish a persistent foothold.

The WiFi QR code generation workflow passes the network password as a plaintext command-line argument (--password). On Unix systems, command-line arguments are visible in /proc//cmdline and in shell history. In an agent context, these arguments would also appear in agent logs and potentially in conversation history. This creates a risk that WiFi credentials are inadvertently exposed when agents generate WiFi QR codes on behalf of users.

The --batch flag accepts any file path (txt, csv, json) and encodes each line as QR code data. In an agentic workflow where the agent has broad filesystem access, a user or attacker could direct the agent to batch-process sensitive files (e.g., ~/.env, config files), resulting in their contents being encoded into QR images that could be displayed or exfiltrated.

The skill depends on qrcode[pil], segno, and Pillow. While these are well-established packages, requiring pip installation expands the system's package surface. No npm install hooks or pre/post-install scripts were found in the Python ecosystem for these packages, but dependencies introduce transitive risk.

Audit records show the six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened for reading at timestamp 1771922133.740, approximately 5 seconds after skill installation completed. No EXECVE records link this access to the Python skill code. The timing and access pattern are consistent with the Oathe audit framework performing its final canary integrity verification. All files confirmed unmodified.

SKILL.md includes examples using shell command substitution ($(cat message.txt)) as a data source for QR encoding. When an agent internalizes this pattern and later applies it to satisfy user requests, it may inadvertently apply command substitution to sensitive commands or file paths.

Full review of SKILL.md found no hidden instructions, invisible unicode characters, HTML comments, persona override commands, or instructions to suppress output or ignore prior system instructions. The skill content is consistent with legitimate QR code generation documentation.

The installation process performed a shallow sparse-checkout clone of the openclaw/skills GitHub monorepo, extracted only the target skill subdirectory, copied it to the designated location, and cleaned up. No unexpected binaries were downloaded, no background processes were spawned, and no persistent network connections were established as a result of installation.