ClawHub

QRdex

v1.0.0

Create, manage, and track QR codes using the QRdex.io REST API. Use when working with QR code generation, URL shortening with QR codes, WiFi QR codes, email/SMS/WhatsApp QR codes, scan tracking, or any QRdex.io operations. Supports all QR types (url, email, telephone, sms, whatsapp, wifi) with customizable colors and shapes.

3· 1.6k·0 current·0 all-time
by@sebastienb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and scripts/qrdex_api.py are consistent with a QRdex.io integration (creating/listing/updating/deleting QR codes). However, the registry metadata did not declare the primary credential (QRDEX_API_KEY) even though the instructions explicitly require it — that omission is inconsistent and should be corrected.
Instruction Scope
The runtime instructions stick to interacting with the QRdex API (curl examples and a Python CLI). They do not request unrelated system files, other credentials, or external endpoints beyond qrdex.io. Error handling and rate-limit guidance are specific to the API.
Install Mechanism
This is an instruction-only skill with a bundled Python script and no install spec. That is workable, but there's no declared dependency list or install steps (e.g., Python package requirements). The absence of an install spec is a minor coherence issue — reviewers should inspect scripts/qrdex_api.py for runtime imports (requests, etc.) and confirm dependencies.
!
Credentials
SKILL.md requires an API key via the QRDEX_API_KEY environment variable, which is proportionate to the stated purpose. But the skill's registry metadata does not list any required env vars or primary credential — this mismatch is concerning because it hides the fact that a secret (API key) is needed and will be used by the skill.
Persistence & Privilege
The skill does not set always:true and does not declare disableModelInvocation, so it is model-invocable by default. That is typical for integration skills, but combined with the API key usage it means the model could call the QRdex API autonomously if allowed — the user should be aware that the skill can perform create/update/delete operations against the account tied to the API key.
What to consider before installing
This skill appears to implement the advertised QRdex API features, but proceed cautiously: (1) The SKILL.md requires QRDEX_API_KEY, yet the registry metadata does not declare any required credentials — treat that as a red flag and avoid providing keys until you verify. (2) There's a bundled Python script (scripts/qrdex_api.py) but no install/dependency spec; review that file to confirm it only talks to qrdex.io and does not exfiltrate data to other hosts. (3) The skill source/homepage is unknown — prefer skills with a verifiable homepage or repo. (4) If you install, use a scoped API key with minimal permissions and consider disabling autonomous model invocation (or require explicit user confirmation) if you do not want the model to create/update/delete QR codes on its own.

Like a lobster shell, security has layers — review code before you run it.

latestvk9739n5st9rh7aaxptreqn79dd80fn94

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments