Checking if a QR is safe?
Our QR safety scanner lives at its own site: Abundera QR Check. Walks the redirect chain, classifies destination mutability (who can change where the QR points after it’s printed), screens reputation, and catches type-specific threats, evil-twin Wi-Fi, contact-poisoning vCards, wallet-drainer crypto QRs, malicious Android intents, and more.
We separated the checker from this generator on purpose. The generator at qr.abundera.ai is everything-client-side, nothing leaves your device. A safety checker has to be the opposite: the decoded payload travels to the analyzer so we can walk redirects and query reputation services. Two opposite privacy postures, two sites, clear labels.
What Abundera QR Check covers
The scanner dispatches each QR payload through a multi-analyzer suite, with type-specific heuristics per payload kind, plus the cross-cutting redirect-chain and mutability checks.
What payload types are supported?
HTTP/HTTPS URLs, Wi-Fi credentials, vCard / MeCard contact records, telephony URIs (tel:, sms:), mailto:, Android intent:// URIs, cryptocurrency URIs (bitcoin:, ethereum:, solana:, and more), content-addressed identifiers (magnet:, ipfs:, ipns:), inline data: URIs, calendar events (BEGIN:VEVENT), geo: URIs, EMV merchant-payment QRs, Matter onboarding codes, FIDO passkey hybrid sign-in codes, Smart Health Cards, eSIM activation, WalletConnect pairings, and hard-blocked schemes (javascript:, file:, ftp:). Plain text falls back to embedded-URL / phone / crypto-address extraction with prompt-injection and credential-leak detection.
How does the mutability axis differ from a regular threat scan?
Most QR safety tools check whether the URL is currently dangerous. Abundera QR Check additionally classifies whether the destination can be changed by a third party after the QR was printed. A clean dynamic QR routed through Bitly is still high-risk for a parking-meter sticker or wedding invitation: the Bitly account holder can change the destination to a phishing page at any moment. We surface this control-posture as a first-class verdict field.
Why is the checker on a different site than the generator?
The generator at qr.abundera.ai makes a hard everything-client-side promise, your payload never leaves your browser. A safety checker has the opposite shape: it must transmit the decoded payload to walk redirect chains and query reputation services. Mixing them on one domain would muddle the promise. So qr.abundera.ai stays client-only, and check.qr.abundera.ai openly transmits + analyzes. Same engineering team, separate domains, separate privacy postures.