Scanblitz
PassAudited by ClawScan on May 17, 2026.
Overview
Scanblitz appears to be a normal ScanBlitz API integration, but it needs an API key and can change live QR-code destinations, so update and delete actions should be reviewed carefully.
This skill looks coherent for managing ScanBlitz dynamic QR codes. Before installing, make sure you trust ScanBlitz, protect the SCANBLITZ_API_KEY, confirm any update/delete operation on live QR codes, and avoid the optional MCP/npx setup unless you specifically need it and trust the package.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the API key may be able to access or modify the user's ScanBlitz QR-code resources, depending on the key's permissions.
The skill requires and transmits a ScanBlitz API key to perform account-level API operations. This is expected for the integration, but the key is a sensitive credential.
AUTH_HEADER="Authorization: Bearer $SCANBLITZ_API_KEY"
Store the key securely, avoid sharing logs that include commands or headers, use only trusted API base URLs, and revoke or rotate the key if it may have been exposed.
A mistaken update or deletion could redirect a public QR code to the wrong destination or disrupt an active campaign.
The skill documents mutating operations for QR-code resources. These operations are purpose-aligned, but they can alter or remove live QR links.
Update, deactivate, or delete an existing ScanBlitz QR code.
Confirm the intended QR code, destination URL, and impact before running update, deactivate, or delete operations.
If the optional MCP setup is enabled, the local agent would execute code from the npm package and provide it with the ScanBlitz API key.
The optional MCP configuration would run an npm package through npx without a pinned version. This is optional and disclosed, but it introduces package provenance and version-trust considerations.
"command": "npx", "args": ["-y", "@scanblitz/mcp-server"]
Use the instruction-only curl flow unless MCP is needed; if enabling MCP, verify the package source and consider pinning a known-good version.
Enabling the MCP server expands trust from the instruction-only skill to the MCP package that handles API-key-backed requests.
The optional MCP server would mediate ScanBlitz actions and receive the API key. The visible artifact does not detail the MCP server's internal tool boundaries, though this setup is optional and purpose-aligned.
"mcpServers": { "scanblitz": { ... "env": { "SCANBLITZ_API_KEY": "sb_api_..." } } }Only enable the MCP server if you trust the package and understand which tools it exposes to the agent.