← Back to Skills Marketplace

PocketLens

Name: PocketLens
Author: edenjw

by Eden Jeongwoo Hong · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

588

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install pocket-lens

Description

Use when user wants to track expenses, scan receipts, upload card payment screenshots, categorize spending, record transactions, check spending summaries, vi...

Usage Guidance

This skill appears to do what it says: it uses Node and your PocketLens API key to upload parsed receipt/statement data to pocketlens.app. Before installing: (1) only provide an API key you trust and give it the minimum necessary permissions (the README requests a write/full key to create transactions), (2) do not set POCKET_LENS_API_URL to an unknown host — that would send your API key elsewhere, (3) be aware uploaded images will be processed by the agent's vision tool (they may be sent to the platform's vision provider), and (4) inspect the included script if you want extra assurance (it is readable and uses only fetch to call /api/external/* endpoints). Revoke the key if you stop using the skill or if you suspect misuse.

Capability Analysis

Type: OpenClaw Skill Name: pocket-lens Version: 1.0.0 The skill integrates with PocketLens for expense tracking, which is a benign purpose. However, a significant vulnerability exists in the `SKILL.md` instructions for the OpenClaw agent. Specifically, when the agent is instructed to execute `node pocket-lens.mjs create-transaction '<JSON>'`, the JSON argument is derived from user input (either from image analysis or manual entry). If the OpenClaw agent fails to properly sanitize or shell-escape this user-controlled JSON string before passing it to the shell, it could lead to shell injection, allowing arbitrary command execution on the host system. While the skill's instructions suggest using single quotes for the JSON argument, the ultimate responsibility for robust escaping of user-controlled content lies with the agent's implementation, making this a high-risk vulnerability rather than intentional malice within the skill itself.

Capability Assessment

✓ Purpose & Capability

Name, description, required binary (node), and required credential (POCKET_LENS_API_KEY) align with an integration that posts transactions and queries spending from pocketlens.app. The helper script talks to endpoints under the PocketLens domain shown in the homepage.

✓ Instruction Scope

SKILL.md directs the agent to analyze receipt images with the platform's image tool, parse the returned JSON, and invoke the included node helper script to call PocketLens API endpoints. It does not instruct reading unrelated files or accessing other credentials. Note: image analysis uses the platform 'image' tool (so uploaded images will be processed by the agent's vision provider).

✓ Install Mechanism

No install spec (instruction-only skill) and the included helper is a local Node script. No network downloads or archive extraction are used by the skill package itself.

ℹ Credentials

Only POCKET_LENS_API_KEY is required (primary credential), which is appropriate. SKILL.md and README mention an optional POCKET_LENS_API_URL env var (to change the API base) but that optional var is not listed under required env — this is a minor documentation mismatch. Be cautious not to point POCKET_LENS_API_URL to an untrusted host because the script will send your API key to that URL.

✓ Persistence & Privilege

always is false, the skill does not request persistent system configuration or access to other skills' settings. It only invokes a local helper and makes network calls to the PocketLens API using the provided key.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install pocket-lens
After installation, invoke the skill by name or use /pocket-lens
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

PocketLens skill initial release: - Enables uploading and auto-extraction of expense data from images of receipts, card statements, and payment screenshots. - Supports manual transaction entry via natural language, including Korean and English. - Provides tools to check PocketLens connection and API key status. - Allows users to view and list their expense categories. - Delivers spending summaries with category and card breakdowns by month. - Offers card billing details, including payment due dates and unpaid amounts. - Includes clear error messages for common API issues.

Metadata

Slug pocket-lens

Version 1.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is PocketLens?

Use when user wants to track expenses, scan receipts, upload card payment screenshots, categorize spending, record transactions, check spending summaries, vi... It is an AI Agent Skill for Claude Code / OpenClaw, with 588 downloads so far.

How do I install PocketLens?

Run "/install pocket-lens" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is PocketLens free?

Yes, PocketLens is completely free (open-source). You can download, install and use it at no cost.

Which platforms does PocketLens support?

PocketLens is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created PocketLens?

It is built and maintained by Eden Jeongwoo Hong (@edenjw); the current version is v1.0.0.

More Skills