ClawHub
Back to skill
v1.0.1

QR Bridge

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:18 AM.

Analysis

QR Bridge appears purpose-aligned for decoding QR codes and inspecting links, with the main things to notice being local setup commands and network requests to decoded URLs.

GuidanceThis skill looks reasonable for QR-code and redirect diagnosis. Before installing, be aware that setup can compile a local helper and may install a Python package, and that using the inspection features will contact URLs found in QR codes from your environment.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
curl -sIL --max-redirs 15 --connect-timeout 10 "URL_HERE"

The skill follows redirects and inspects URLs decoded from QR codes. This is expected for the stated purpose, but it causes external sites from QR contents to be contacted.

User impactOpening or inspecting a QR-derived link can reveal the user's network address to the destination and may touch unknown or tracking URLs, even though the commands shown do not send credentials.
RecommendationUse it for links you are comfortable checking from your current network, and avoid tracing highly sensitive or untrusted QR codes unless that contact is acceptable.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
scripts/setup.sh
pip3 install "qrcode[pil]"

The setup script may install an unpinned Python package for QR generation. This is related to the advertised QR generation feature, but it is not declared in the registry install spec.

User impactRunning setup can modify the user's Python environment and depends on the current package served by the Python package index.
RecommendationReview setup.sh before running it, consider installing dependencies in a virtual environment, and pin package versions if reproducibility matters.
Unexpected Code Execution
SeverityInfoConfidenceHighStatusNote
scripts/setup.sh
swiftc "$SWIFT_SRC" -o "$SWIFT_BIN" -O

The first-run setup compiles the included Swift QR decoder into a local executable. This is disclosed and directly supports the skill's QR decoding purpose.

User impactThe skill runs local code from its scripts directory to decode images, which is normal for this tool but still worth reviewing before installation.
RecommendationInstall only if you are comfortable compiling and running the included Swift helper; the visible source is short and aligned with QR decoding.