QRdex
ReviewAudited by ClawScan on May 1, 2026.
Overview
QRdex is a coherent QRdex.io API helper, but it uses a team API key and can create, update, delete, store, and track QR code data, including potentially sensitive WiFi or contact details.
Install/use this skill only if you intend to let the agent work with your QRdex.io account. Before creating WiFi, SMS, WhatsApp, or email QR codes, consider whether the included passwords, phone numbers, messages, and scan-tracking data are appropriate to send to QRdex and expose through QR codes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or script with this environment variable can perform QRdex API actions allowed by that key.
The skill requires a QRdex bearer API key to operate on the user's QRdex team account. This is expected for the integration, but users should notice the delegated account authority.
export QRDEX_API_KEY="your-api-key" ... All requests require `Authorization: Bearer $QRDEX_API_KEY`
Use a revocable, least-privileged QRdex API key if available, set it only when needed, and avoid sharing terminal logs or environments that expose it.
A mistaken update or delete could alter public QR destinations or remove QR codes from the user's QRdex account.
The documented workflow includes direct update and soft-delete operations on QRdex records. These are purpose-aligned, but they can change or remove account data.
# Update (partial — only send changed fields) ... curl -X PATCH ... # Delete (soft-delete) ... curl -X DELETE https://qrdex.io/api/v1/qr_codes/:id
Confirm QR code IDs and intended changes before update/delete actions; consider requiring explicit user confirmation for destructive operations.
Private WiFi credentials, phone numbers, email content, or scan activity could become part of QRdex-hosted QR records or QR codes.
QR payloads may include WiFi passwords, messages, and contact details, and scan tracking is supported by default, so sensitive data may be sent to and stored by QRdex.
`wifi_password` | string | No | WiFi password ... `message` | string | No | Body for sms/whatsapp/email ... `track_scans` | boolean | No | Enable tracking (default: `true`)
Only encode information you are comfortable storing with QRdex and exposing through a QR code; disable tracking where unnecessary if the API supports it.
Users may need to install a Python dependency themselves, and should ensure it comes from a trusted package source.
The helper script depends on the external Requests package, but the skill has no install spec or pinned dependency declaration. This is a manual setup gap rather than hidden execution.
"""QRdex.io API client CLI. Requires: requests (pip install requests).""" ... import requests
Install dependencies from a trusted Python package index/environment and consider adding a pinned requirements file or install specification.