1
    πŸ”³ QR Payload Auditor

    πŸ”³ QR Payload Auditor

    by JustHandled Labs

    Audit the decoded text a QR code carries before you print it on something. Flags URLs that are not absolute, link shorteners that hide the real destination, unsafe schemes (javascript:, data:, file:), payloads too long to scan reliably, malformed Wi-Fi or contact payloads, and exposed credentials like a Wi-Fi password or a token sitting in a URL. It audits the decoded payload you paste; it does not read images.

    Updated Jun 2026
    Security scanned
    Cursor

    $5

    Β· or 25 credits

    30-day refund guarantee

    Secure checkout via Stripe

    Included in download

    • Scan marketing QR payloads for risky shorteners before bulk printing
    • Detect exposed credentials or hidden trackers in QR text data
    • terminal, file_read automation included
    • Ready for Cursor
    • Instant install

    Sample input

    Audit this QR payload I'm planning to use on our conference badges: "https://bit.ly/3xJ8kL2"

    Sample output

    QR Audit Report

    Findings:

    • [HIGH] RULE_URL_SHORTENER: "bit.ly" detected. Risk: Hides destination and depends on third-party uptime.
    • [INFO] RULE_ABS_URL: URL is absolute.

    Remediation: Replace bit.ly with a branded, absolute URL (e.g., https://site.com/event).

    About This Skill

    What it does

    The QR Payload Auditor is a specialized security tool for developers and marketing teams who need to verify the integrity of QR code content before it is printed on physical assets. It performs a deep static analysis of decoded QR text payloads to identify high-risk elements that are often overlooked by standard scanners.

    Why use this skill

    While most tools focus on decoding the image, this skill focuses on the logic and security of the payload itself. It identifies "broken" architecture in QR data, such as non-absolute URLs that won't resolve, exposed credentials, unsafe URI schemes, and the use of URL shorteners that hide the final destinationβ€”a common red flag in security audits. Using this skill is significantly more reliable than manual inspection because it runs your payload against a standardized checklist and a database of known URL shortener patterns.

    Supported tools

    The skill utilizes a localized Python-based scanning engine, a JSON-based database of high-risk URL patterns, and a comprehensive remediation library. It integrates seamlessly into CLI workflows via stdin or text file batch processing.

    Output

    You receive a detailed audit report including a severity-ranked list of findings with specific rule IDs, precise evidence from the payload, actionable remediation snippets, and a clear breakdown of scanning limitations to ensure full transparency.

    Use Cases

    • Scan marketing QR payloads for risky shorteners before bulk printing
    • Detect exposed credentials or hidden trackers in QR text data
    • Verify QR URI schemes are safe and follow absolute path standards
    • Automate batch audits of promotional URLs for technical compliance

    Reviews

    No reviews yet - be the first to share your experience.

    Only users who have downloaded or purchased this skill can leave a review.

    Security Scanned

    Passed automated security review

    Permissions

    Terminal / Shell
    Read Files

    Allowed Hosts

    example.com
    bit.ly

    File Scopes

    qr-payload-auditor/**
    **/*.txt
    --stdin

    Read-only. The URL-shortener list loads from an editable file in references/. Reads no environment variables and writes nothing.

    Tags

    security-audit
    qr-codes
    devsecops
    url-validation
    static-analysis

    Works with any agent that can run a local Python script (Claude Code, Cursor, Codex CLI, and other SKILL.md-compatible agents). Standard library only, no install step. No network calls.

    Creator

    JustHandled Labs

    JustHandled Labs creates focused agent skills and workflow packs for Claude, Codex, Cursor, and AI-assisted builders. Each tool is designed around a real repeatable task: cleaner commits, better PRs, stronger handoffs, safer repo hygiene, clearer documentation, and less copy-paste chaos. The goal is not generic AI productivity. The goal is specific workflows that are easier to run, review, and repeat. Maintained by H.J. Westerfield, with a background in communications, editing, project coordination, customer support, and practical AI systems. JustHandled Labs builds tools for people who want useful automation without theatrical complexity.

    Frequently Asked Questions

    Learn More About AI Agent Skills

    More Premium Skills

    Bounty Security Pattern Master Library β€” 399 Vulnerability Patterns

    A premium library of 399 vulnerability patterns and DeFi attack vectors for AI-driven bug hunting and security audits.

    $758 installs
    PII & Data-Leak Scanner

    PII & Data-Leak Scanner

    Scan your schemas, seed data, config, and logs for personal data before it leaks. Detects PII-indicating column and key names (email, ssn, phone, address) across SQL, CSV, and JSON, plus PII in the data itself: email addresses, SSN-like numbers, credit-card-like numbers, phone numbers, and PII written into log files. Each finding is flagged with its location and a GDPR-style review note. Heuristic by design: it surfaces what to review, not a compliance guarantee.

    $153 installs
    sast-configuration

    sast-configuration

    Automate the setup and optimization of Semgrep, SonarQube, and CodeQL for high-signal security testing.

    $103 installs

    designing-hybrid-context-layers

    Architects the right retrieval strategy for every query β€” teaching your agent when to use RAG, a knowledge graph, or a temporal index instead of defaulting to vector search for everything.

    $1015 installs

    $5