v1.2.0

QR Claw

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:56 AM.

Analysis

QR Claw is a coherent QR-code helper that clearly discloses it sends requested content to an external public-link service, so it should only be used for non-sensitive data.

GuidanceInstall only if you are comfortable having QR payloads sent to qrclaw.goplausible.xyz and made available through a temporary public link. Do not use it for secrets, credentials, private keys, personal identifiers, or anything the user did not explicitly intend to share.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

The input string you send is transmitted over HTTPS to this service, stored temporarily (24 hours), and exposed via a public smart link with social preview metadata.

The skill's core operation sends the QR payload to an external provider and makes it reachable through a generated link. This is disclosed and purpose-aligned, but it matters for privacy.

User impactAnything encoded into a QR code may be visible through the generated smart link for up to 24 hours, so private or secret data could be exposed if entered.

RecommendationUse this skill only for data the user explicitly wants to share, and continue refusing passwords, tokens, private keys, personal identifiers, or other sensitive content.