About QR Code Inspector
QR codes are a phishing vector — a poster slapped over a real café Wi-Fi sticker, a fake parking meter QR pointing at a credential-harvesting form. The QR Code Inspector decodes any QR image you drop in (or paste from clipboard) and runs a battery of checks against the payload before you ever open it on your phone. URLs are flagged for Punycode lookalikes, mixed scripts (homograph attacks), URL shorteners that hide the real destination, IP-address hosts, embedded credentials, suspicious TLDs, and unusual length. Wi-Fi configs are flagged when they're open / unencrypted. Plain-text payloads are surfaced verbatim. Decoding uses jsQR, locally — nothing is uploaded.
- No uploads
- Browser-only
- Works offline
- 100% free
How it works
- 1
Drop the QR image
JPG, PNG, WebP or GIF. The image is decoded locally with jsQR; the QR contents are extracted to text.
- 2
Read the safety report
URLs get parsed, classified and risk-scored. Other payload types (Wi-Fi, vCard, tel:) are surfaced with format-specific notes.
- 3
Decide
The summary aggregates findings into low / medium / high risk. Inspect the per-finding list to see exactly what was flagged.
Related tools
Browse allGenerate scannable QR codes for URLs, text, and Wi-Fi.
See which permissions are granted and detect supported APIs.
Audit any password — entropy, character classes and time-to-crack.
Encrypt and decrypt text with AES-256-GCM. Passphrase only.
Frequently asked questions
Are my files uploaded to a server?
No. Every tool on SnapToolz runs entirely inside your browser using JavaScript and WebAssembly. Your file is read locally, processed in memory, and the result is offered as a download. Nothing is sent to a server — there isn't one to send to.
Does the inspector open the URL?
No. The inspector only parses and analyses the URL string — it never makes a network request, never opens the URL, and never even DNS-resolves the domain. Everything is done by string analysis.
What's a Punycode / homograph attack?
Punycode encodes non-ASCII domains using ASCII (xn--…). It's used legitimately for international domain names, but attackers register domains where the Unicode form looks identical to a trusted brand — e.g. apple.com vs аpple.com (Cyrillic 'a'). The inspector flags both Punycode presence and mixed scripts in the displayed domain.
Why are some legit URLs flagged?
The checks are intentionally cautious. A short URL via bit.ly is technically risky because the destination is hidden — even if it's a trusted shortener for a known brand. Treat the findings as 'things to verify' rather than verdicts.
What if my QR contains plain text?
The decoded text is shown verbatim. It's classified as 'text' — no destination, no action. Just verify it doesn't contain commands you'd run blindly (some POS systems use QR-encoded shell commands).
Does it work offline?
Yes. SnapToolz is a Progressive Web App. After your first visit, the app is cached on your device and every tool keeps working without an internet connection.
Is SnapToolz free?
Yes — every tool is 100% free with no sign-up, no watermark, no hidden tier. The whole platform is open source and we have no plan to gate features.