Skills
skills/winsorllc/upgraded-carnival/qr-generator/Gen Agent Trust Hub

qr-generator

Fail

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The scripts qr.sh, qr-wifi.sh, and qr-vcard.sh pass shell variables directly into Python code using 'Here Documents'. The pattern variable = """$VARIABLE""" is used for multiple inputs including $DATA, $SSID, $PASSWORD, $NAME, $PHONE, $EMAIL, $ORG, $TITLE, $URL, $ADDRESS, and $NOTE. This lacks proper escaping or sanitization.
  • [REMOTE_CODE_EXECUTION]: An attacker can provide input containing triple quotes (""") followed by malicious Python code (e.g., """ ; import os; os.system('id'); """). This injected code will be executed by the Python interpreter with the same privileges as the AI agent, allowing for unauthorized system access and command execution.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 1, 2026, 05:11 AM