ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PocketLens

v1.0.0

Use when user wants to track expenses, scan receipts, upload card payment screenshots, categorize spending, record transactions, check spending summaries, vi...

0· 512·0 current·0 all-time
byEden Jeongwoo Hong@edenjw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (receipt scanning, transaction creation, summaries) match the included helper script and runtime instructions. Requiring Node and an API key for PocketLens is expected and proportionate.
Instruction Scope
SKILL.md limits actions to: using the platform's image/vision tool to extract transaction data, parsing that JSON, and calling the PocketLens API via the helper script. It does not instruct reading unrelated files, other credentials, or sending data to arbitrary endpoints.
Install Mechanism
No install spec and only a small included Node script are present. No external downloads or archive extraction; required binary (node) is reasonable for a Node helper script.
Credentials
Only POCKET_LENS_API_KEY (primary) and an optional POCKET_LENS_API_URL are requested. Both are justified by the stated purpose (authenticating requests to PocketLens). The SKILL.md and script do not reference other secrets or system config paths.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or system-wide config. Autonomous invocation is allowed by default (normal for skills) and not combined with other red flags.
Assessment
This skill appears to do what it says: it uses the platform's vision tool to extract transactions and calls PocketLens APIs using POCKET_LENS_API_KEY. Before installing: (1) Ensure you trust pocketlens.app and are comfortable that transaction images and parsed financial details will be sent to that service; (2) Use a restricted API key with the minimum required scope (write permission only if needed) and rotate/revoke keys when appropriate; (3) Be aware that images are processed by the platform's vision/model tooling (may be sent to the provider), so avoid uploading extremely sensitive documents unless you accept that; (4) If you want extra safety, test with a non-production PocketLens account and verify the API URL is the official domain. The helper script itself contains no hidden endpoints or obfuscated behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cts1qe1w8pjcn5dvwkjyzd181n264

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvPOCKET_LENS_API_KEY
Primary envPOCKET_LENS_API_KEY

Comments