PocketLens
ReviewAudited by ClawScan on May 10, 2026.
Overview
PocketLens is a coherent expense-tracking integration, but it can automatically add financial records from uploaded images using a write-capable API key before the user confirms the extracted details.
Install only if you trust PocketLens with receipt, card, and spending data. Use a least-privilege API key, do not use a full-permission key unless required, keep POCKET_LENS_API_URL pointed at a trusted PocketLens endpoint, and tell the agent to show extracted transactions for confirmation before recording them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misread receipt, a screenshot shared for another reason, or an incorrect Vision extraction could create unintended or inaccurate financial records in the user’s PocketLens account.
The skill directs the agent to turn payment-looking images into API write operations, including multiple transactions, without requiring the user to review and approve the extracted merchant, amount, date, or category first.
When a user sends an image that appears to be a receipt, credit card statement, bank notification, or any payment-related screenshot ... For each parsed transaction, call the PocketLens API using the helper script: node pocket-lens.mjs create-transaction '<JSON>'
Require a confirm-before-create flow: show the extracted transactions and total, wait for explicit user approval, and ideally create them as pending or provide an undo path.
If the API key is leaked or misused, someone may be able to create or access financial records depending on the key’s permissions.
The skill expects a credential that can mutate the user’s PocketLens account, and the documentation allows a full-permission key even though least privilege is safer.
Set the permission to **write** (or **full**).
Use the least-privileged PocketLens key that supports the needed operations, avoid full permission unless truly required, and rotate the key if it may have been exposed.
Uploaded images may contain personal financial details beyond the transaction being recorded, and those details may be visible to the model/tooling and PocketLens service.
Sensitive receipt, card-statement, and banking screenshot data is processed through a Vision AI/tool flow and then sent to PocketLens. This is the advertised function, but it involves sensitive financial information crossing service boundaries.
The assistant will: 1. Analyze the image using Vision AI. 2. Extract merchant name, amount, date, and card info. 3. Submit the transactions to PocketLens.
Only upload images you intend to process, crop or redact unrelated details where possible, and review PocketLens/OpenClaw data handling policies.