qr-decoder
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill is designed to decode arbitrary data from QR codes, which can include malicious text instructions.
- Ingestion points: Decoded content from local images or remote URLs is passed back to the agent context.
- Boundary markers: Absent. There are no instructions for the agent to treat the QR content as untrusted or to use delimiters.
- Capability inventory: The agent utilizing this skill may have subprocess execution, network access, or file-writing capabilities that can be exploited by injected instructions.
- Sanitization: Absent. No evidence of content filtering or sanitization before the data reaches the agent.
- [COMMAND_EXECUTION]: Shell Argument Handling. The skill invokes a shell script (decode.sh) using user-provided parameters such as --url, --pattern, and file paths. If these inputs are not strictly sanitized or quoted within the script, they could be exploited to perform command injection.
- [EXTERNAL_DOWNLOADS]: Remote Image Retrieval. The --url option allows the skill to fetch image files from arbitrary remote servers. This functionality introduces a network boundary crossing that could be leveraged for Server-Side Request Forgery (SSRF) or to target vulnerabilities in the image processing library (zbarimg/libdecodeqr).
Audit Metadata