Lensmor Gateway
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This Lensmor gateway is mostly controlled, but review is needed because a documented approval safeguard for unlocking contacts is not always enforced in code.
Before installing, confirm that you are comfortable giving the skill a Lensmor API key and allowing bounded automatic credit usage. If you want every chargeable action reviewed, set maxAutoApprovedMeteredCredits to 0. The publisher should fix or clarify the unlock approval logic so contact unlock actions always require the approval that the documentation promises.
Publisher note
Lensmor distinguishes explicit unlock purchases from normal metered assistant usage. Unlock actions such as unlock_contact_emails and unlock_event_contacts always require OpenClaw user approval. Bounded metered usage actions such as search_exhibitor_events may run without an approval prompt only after Lensmor precheck returns allowed=true and the reported credits are <= maxAutoApprovedMeteredCredits (default 100, configurable 0-1000; set 0 to require approval for all chargeable metered usage). The plugin does not let the model choose arbitrary routes: model-facing API calls use relative paths and an explicit route allowlist. LENSMOR_BASE_URL and presigned upload URLs must be HTTPS and are rejected for localhost, private IP ranges, internal hostnames, credentials, query strings on base URL, or fragments. File upload accepts generated string content only and validates safe filenames, limited extensions, byte limits, HTTPS putUrl, and HTTPS signUrl.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
62/62 vendors flagged this plugin as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Contact-email or event-contact unlocks may run without a prompt in no-charge or incorrectly classified precheck cases.
Because the no-charge check runs before the unlock-action confirmation check, an allowed unlock action with shouldCharge=false can execute without a user approval prompt, despite the documentation stating that explicit unlock actions require approval.
const CONFIRM_ACTIONS = new Set(["unlock_event_contacts", "unlock_contact_emails"]); ... if (facts.shouldCharge !== true) { return { kind: "allow_without_confirm" }; } if (CONFIRM_ACTIONS.has(actionType)) { return { kind: "require_confirm" }; }Require confirmation for unlock_event_contacts and unlock_contact_emails before considering shouldCharge, or clearly document and test any intended no-charge exception.
Some Lensmor credits could be consumed automatically during normal agent use.
The skill intentionally allows some metered Lensmor credit usage without a per-action approval prompt after server precheck; this is disclosed and configurable, but users should notice it.
Bounded metered usage actions may run without an approval prompt only after Lensmor precheck returns `allowed=true` and their credit cost is at or below `maxAutoApprovedMeteredCredits` (default `100`).
Set maxAutoApprovedMeteredCredits to 0 if you want approval for every chargeable metered action.
The tool acts with the privileges of the configured Lensmor API key.
The plugin uses a Lensmor API key from the runtime environment. This is disclosed in SKILL.md and purpose-aligned, but the registry metadata says there are no required env vars or primary credential.
const baseUrlRaw = String(env.LENSMOR_BASE_URL ?? "").trim(); const apiKey = String(env.LENSMOR_API_KEY ?? "").trim(); ... throw new Error("LENSMOR_BASE_URL and LENSMOR_API_KEY are required");Use a scoped Lensmor API key if available, verify LENSMOR_BASE_URL is the intended Lensmor endpoint, and have the publisher declare these env vars in registry metadata.