Back to skill
Skillv1.0.0
ClawScan security
PocketLens · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 22, 2026, 2:41 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are coherent with an expense-tracking integration: it needs Node and a PocketLens API key and calls the PocketLens API via an included helper script to create/list/query transactions and summaries.
- Guidance
- This skill appears to do what it says: it uses Node and your PocketLens API key to upload parsed receipt/statement data to pocketlens.app. Before installing: (1) only provide an API key you trust and give it the minimum necessary permissions (the README requests a write/full key to create transactions), (2) do not set POCKET_LENS_API_URL to an unknown host — that would send your API key elsewhere, (3) be aware uploaded images will be processed by the agent's vision tool (they may be sent to the platform's vision provider), and (4) inspect the included script if you want extra assurance (it is readable and uses only fetch to call /api/external/* endpoints). Revoke the key if you stop using the skill or if you suspect misuse.
Review Dimensions
- Purpose & Capability
- okName, description, required binary (node), and required credential (POCKET_LENS_API_KEY) align with an integration that posts transactions and queries spending from pocketlens.app. The helper script talks to endpoints under the PocketLens domain shown in the homepage.
- Instruction Scope
- okSKILL.md directs the agent to analyze receipt images with the platform's image tool, parse the returned JSON, and invoke the included node helper script to call PocketLens API endpoints. It does not instruct reading unrelated files or accessing other credentials. Note: image analysis uses the platform 'image' tool (so uploaded images will be processed by the agent's vision provider).
- Install Mechanism
- okNo install spec (instruction-only skill) and the included helper is a local Node script. No network downloads or archive extraction are used by the skill package itself.
- Credentials
- noteOnly POCKET_LENS_API_KEY is required (primary credential), which is appropriate. SKILL.md and README mention an optional POCKET_LENS_API_URL env var (to change the API base) but that optional var is not listed under required env — this is a minor documentation mismatch. Be cautious not to point POCKET_LENS_API_URL to an untrusted host because the script will send your API key to that URL.
- Persistence & Privilege
- okalways is false, the skill does not request persistent system configuration or access to other skills' settings. It only invokes a local helper and makes network calls to the PocketLens API using the provided key.