Back to SafeScan

SafeScan QR Legal

Risk Engine

Version v1.0 - Last updated May 2026

Risk analysis model

SafeScan QR turns a QR payload into a 0-100 risk score by decoding the payload, classifying the action, inspecting URLs, checking reputation sources, matching wallet-drain patterns, and optionally blending in the local ML model. The final verdict is informational, not a guarantee of safety.

Score bands

  • 0-39 SAFE: no major suspicious indicators were found.
  • 40-79 CAUTION: one or more suspicious signals need review.
  • 80-100 MALICIOUS: high-risk signals indicate likely phishing, malware, credential theft, or wallet drain behavior.

Output data

  • Final verdict, risk score, confidence score, and threat class.
  • Decoded URL or non-URL QR payload.
  • Human-readable explanation and next-action guidance.
  • Signal list with label, severity, detail, and whether the signal is positive or negative.

Data checked during analysis

Payload and action data

  • URL, text, Wi-Fi, email, SMS, phone, contact card, calendar, wallet, payment, and app-deep-link payloads.
  • Embedded URLs hidden inside non-URL QR actions.
  • Sensitive wording such as password, seed, recovery, verify, login, wallet, bank, and urgent.
  • Download, installer, executable, and compressed file paths.

URL and domain data

  • HTTPS vs non-HTTPS destination.
  • Hostname, top-level domain, punycode, suspicious query parameters, fragments, and redirects.
  • Domain age from WHOIS/RDAP when available.
  • New, recently registered, unknown-age, and high-risk TLD indicators.

Reputation data

  • Google Safe Browsing threat matches when the API key is configured.
  • VirusTotal-style engine summary: clean, unrated, malicious, and suspicious vendor results.
  • Local URL cache so repeated scans can reuse recent verdicts quickly.
  • Admin-confirmed reports and blocklist decisions.

Crypto and payment data

  • Solana and wallet-deep-link payloads.
  • Wallet address placement in URL query strings or fragments.
  • Claim, approve, permit, signature, drain, mint, airdrop, and connect-wallet language.
  • Payment QR actions that can launch wallet, transfer, or checkout flows.

Model pipeline

  1. Decode: read the QR image, pasted payload, SVG, PDF, or manual URL input.
  2. Normalize: trim and classify the payload type, extract embedded URLs, and validate URL shape.
  3. Inspect: check scheme, domain, path, query, redirects, reputation matches, domain age, and crypto patterns.
  4. Score: convert each signal into weighted risk, then clamp the final confidence score from 0 to 100.
  5. Blend ML: when enabled, combine the local QR ML model score with rule-based evidence.
  6. Explain: return the verdict, score, reasons, action description, threat class, and optional admin/reporting metadata.

Stored data

For signed-in users, SafeScan can save scan history and counters so profile progress, scan history, fraud prevention, and leaderboard features work across sessions. Stored scan rows may include user id, email, URL or payload, risk score, verdict, signal JSON, report status, and created time. Uploaded QR image files may be stored temporarily according to the configured upload retention policy.

Privacy and limits

SafeScan avoids sending direct personal identifiers to external AI analysis providers. URL payloads and risk signals may be processed by configured reputation or AI services. The engine is designed to explain risk clearly, but users should still verify important links, wallet prompts, and payment requests independently.