Back to skill
Skillv1.0.0
VirusTotal security
PocketLens · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:21 AM
- Hash
- ce6f152bb8d7d492d38978bec0df2ba842b73fd47e10540d812406f5fd5273c5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pocket-lens Version: 1.0.0 The skill integrates with PocketLens for expense tracking, which is a benign purpose. However, a significant vulnerability exists in the `SKILL.md` instructions for the OpenClaw agent. Specifically, when the agent is instructed to execute `node pocket-lens.mjs create-transaction '<JSON>'`, the JSON argument is derived from user input (either from image analysis or manual entry). If the OpenClaw agent fails to properly sanitize or shell-escape this user-controlled JSON string before passing it to the shell, it could lead to shell injection, allowing arbitrary command execution on the host system. While the skill's instructions suggest using single quotes for the JSON argument, the ultimate responsibility for robust escaping of user-controlled content lies with the agent's implementation, making this a high-risk vulnerability rather than intentional malice within the skill itself.
- External report
- View on VirusTotal