QR Bridge
v1.0.1Decode QR codes, trace redirects, inspect gated destinations, and explain what the link actually needs
⭐ 0· 104·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill claims to decode QR codes and trace/inspect links and includes a macOS CoreImage-based Swift decoder, curl-based tracing, and Python utilities for generation/fallback. This is proportional to the stated purpose. Minor inconsistency: registry metadata lists no OS restriction, but the primary decoder depends on macOS/CoreImage and a Swift toolchain (the README and SKILL.md correctly document the macOS requirement).
Instruction Scope
SKILL.md instructs the agent to compile/run the included Swift binary, run curl to follow redirects, and optionally run Python snippets (pyzbar fallback and qrcode generation). All of these actions are within the skill's scope (decoding and web inspection). Important operational note: the instructions cause the agent (or user) to make network requests to arbitrary decoded URLs and to run setup scripts that invoke pip; both are expected for this skill but worth awareness.
Install Mechanism
There is no automatic install spec in registry terms, but the repo provides a setup.sh that compiles a local Swift source file (safe, local compilation) and will run pip3 install 'qrcode[pil]' if missing. No downloads from untrusted/personal servers are used. Installing Python packages from PyPI and suggesting brew install zbar (for pyzbar) are typical but have moderate risk if run carelessly—these modify the user's Python environment.
Credentials
The skill requests no environment variables, credentials, or config paths. It does ask to write a compiled binary into the skill directory (~/.claude/skills/qr-bridge/scripts/qr-decode) during setup, which is proportional to its function. No secrets or unrelated service keys are requested.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. The only persistence is compiling a binary and installing optional Python packages into the user's environment (local changes). The skill does not modify other skills or system-wide agent policies. Note: the agent could autonomously run the provided setup script if allowed, which would perform the local compile and possible pip install.
Assessment
This skill appears to do what it says: a macOS-native QR decoder + redirect/gate inspection. Before running setup.sh or letting an agent run it autonomously: (1) confirm you are on macOS and have the Swift toolchain if you want the fast CoreImage decoder (the skill will not work fully on non-macOS); (2) review scripts/setup.sh — it may run pip3 install to add the 'qrcode' package to your Python environment (consider using a virtualenv if you want to avoid modifying your system Python); (3) be aware the agent will make HTTP(S) requests to URLs decoded from images (expected for tracing/inspection); (4) if you have security concerns, run the setup and tests in an isolated environment (VM/container) or inspect/compile the Swift source yourself (scripts/qr-decode.swift is short and readable). There are no requested secrets or hidden network endpoints in the repository, but the registry OS metadata mismatch (no OS restriction vs macOS dependency) is worth noting.Like a lobster shell, security has layers — review code before you run it.
latestvk97fzpeg60cjh42wj765z5ed2d83vay2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.