← 返回 Skills 市场
357
总下载
0
收藏
1
当前安装
3
版本数
在 OpenClaw 中安装
/install skill-qr-card
功能描述
Generate styled QR images/cards for ClawHub skills so users can scan and install instantly. Supports install-command payloads, ClawHub links, and GitHub link...
安全使用建议
This skill appears coherent and does what it claims, but check a few operational points before running: (1) Ensure your environment has Node and the 'qrcode' npm package (the repo does not declare an install step); (2) ImageMagick's 'convert' is optionally executed to create PNGs — verify you trust the 'convert' binary on the host; (3) The script writes files under ./images/ (it may overwrite similarly named files); (4) If you copy this into an automated agent, ensure the agent only supplies intended slugs/flags (the script will embed whatever you pass into the QR payload). If you want extra caution, run the script in a sandbox or container and review/lock the 'convert' binary before allowing automated invocation.
功能分析
Type: OpenClaw Skill
Name: skill-qr-card
Version: 0.1.2
The script `scripts/generate_qr_card.js` contains a shell injection vulnerability where the `--out` command-line argument is passed unsanitized into an `execSync` call to ImageMagick's `convert` utility. While this allows for potential Remote Code Execution (RCE) if an attacker can influence the output filename, there is no evidence of intentional malice or self-exploitation, qualifying it as a critical vulnerability rather than malware.
能力评估
Purpose & Capability
Name/description align with requested files and actions. The included script generates QR payloads for install/ClawHub/GitHub links and produces SVG (and optional PNG) outputs — all expected for a 'QR card' generator.
Instruction Scope
SKILL.md instructs the agent to run the bundled script with CLI flags and to return generated image paths. The script only reads CLI args, writes files under ./images/, and optionally invokes ImageMagick; it does not read other config files, environment variables, or network endpoints.
Install Mechanism
There is no install spec. The script requires Node and the npm package 'qrcode' (not declared) and will optionally call the system 'convert' binary to produce PNGs. This is operationally important (dependencies must be present) but not a security red flag.
Credentials
No environment variables, credentials, or config paths are requested. The script only uses user-supplied CLI arguments (slug, title, mode, github, out).
Persistence & Privilege
Skill is not always-enabled and does not request persistent system privileges. It writes output files to a local ./images/ directory (expected behavior) and does not modify other skills or system-wide configuration.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-qr-card - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-qr-card触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.2
Improve description for scan-to-install QR sharing
v0.1.1
Add README and usage docs
v0.1.0
Initial release as Skill QR Card
元数据
常见问题
Skill QR Card 是什么?
Generate styled QR images/cards for ClawHub skills so users can scan and install instantly. Supports install-command payloads, ClawHub links, and GitHub link... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 357 次。
如何安装 Skill QR Card?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-qr-card」即可一键安装,无需额外配置。
Skill QR Card 是免费的吗?
是的,Skill QR Card 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Skill QR Card 支持哪些平台?
Skill QR Card 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill QR Card?
由 Jack Lee(@jackleeio)开发并维护,当前版本 v0.1.2。
推荐 Skills