PocketLens
ReviewAudited by ClawScan on May 10, 2026.
Overview
PocketLens matches its expense-tracking purpose, but it can create financial records from image-extracted data using a write-capable API key before an explicit user confirmation.
Install only if you are comfortable giving OpenClaw a least-privileged PocketLens API key and sending receipt/card-statement data through the configured tools. Review extracted transactions before they are recorded, avoid using a full-permission key unless needed, and redact unnecessary card or account details from screenshots.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Incorrect, manipulated, or poorly parsed receipt data could be recorded into the user's financial history before they approve it; unsafe shell quoting could also cause command failures or unintended command interpretation in some runners.
Transaction fields come from user messages or OCR/vision output, then are sent to a write API before user confirmation. The shell-style JSON example also relies on safe quoting of untrusted merchant/date/category text.
For each parsed transaction, call the PocketLens API using the helper script: `node pocket-lens.mjs create-transaction '<JSON>'` ... `After successful creation, summarize what was recorded`
Require an explicit user review step before creating transactions, validate amounts/dates/categories, and pass data to the helper via safe argv handling, stdin, or a temporary file instead of interpolating raw JSON into a shell command.
Anyone or any agent action with access to this environment variable can use the key to interact with the user's PocketLens account within the key's permissions.
A write-capable PocketLens credential is expected for this skill, but it grants the agent authority to create account records and access account-backed API responses.
`POCKET_LENS_API_KEY` (required): API key from PocketLens Settings > API Keys page. The key must have **write** permission to create transactions.
Use the least-privileged PocketLens key that supports the needed actions, avoid full permission unless necessary, store it securely, and revoke or rotate it if the skill is no longer used.
Receipts, card statements, banking screenshots, and extracted merchant/amount/date details may be processed outside the local chat context.
The skill intentionally routes sensitive financial images through an image-analysis capability and sends extracted transaction data to PocketLens. This is purpose-aligned, but the provider/data boundary is important for users to understand.
When a user sends an image that appears to be a receipt, credit card statement, bank notification, or any payment-related screenshot: ... Use the `image` tool to analyze the uploaded image
Upload only images needed for expense tracking, redact card/account numbers when possible, and check the privacy policies for the vision tool and PocketLens before using it with sensitive financial screenshots.