← 返回 Skills 市场
edenjw

PocketLens

作者 Eden Jeongwoo Hong · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
588
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install pocket-lens
功能描述
Use when user wants to track expenses, scan receipts, upload card payment screenshots, categorize spending, record transactions, check spending summaries, vi...
安全使用建议
This skill appears to do what it says: it uses Node and your PocketLens API key to upload parsed receipt/statement data to pocketlens.app. Before installing: (1) only provide an API key you trust and give it the minimum necessary permissions (the README requests a write/full key to create transactions), (2) do not set POCKET_LENS_API_URL to an unknown host — that would send your API key elsewhere, (3) be aware uploaded images will be processed by the agent's vision tool (they may be sent to the platform's vision provider), and (4) inspect the included script if you want extra assurance (it is readable and uses only fetch to call /api/external/* endpoints). Revoke the key if you stop using the skill or if you suspect misuse.
功能分析
Type: OpenClaw Skill Name: pocket-lens Version: 1.0.0 The skill integrates with PocketLens for expense tracking, which is a benign purpose. However, a significant vulnerability exists in the `SKILL.md` instructions for the OpenClaw agent. Specifically, when the agent is instructed to execute `node pocket-lens.mjs create-transaction '<JSON>'`, the JSON argument is derived from user input (either from image analysis or manual entry). If the OpenClaw agent fails to properly sanitize or shell-escape this user-controlled JSON string before passing it to the shell, it could lead to shell injection, allowing arbitrary command execution on the host system. While the skill's instructions suggest using single quotes for the JSON argument, the ultimate responsibility for robust escaping of user-controlled content lies with the agent's implementation, making this a high-risk vulnerability rather than intentional malice within the skill itself.
能力评估
Purpose & Capability
Name, description, required binary (node), and required credential (POCKET_LENS_API_KEY) align with an integration that posts transactions and queries spending from pocketlens.app. The helper script talks to endpoints under the PocketLens domain shown in the homepage.
Instruction Scope
SKILL.md directs the agent to analyze receipt images with the platform's image tool, parse the returned JSON, and invoke the included node helper script to call PocketLens API endpoints. It does not instruct reading unrelated files or accessing other credentials. Note: image analysis uses the platform 'image' tool (so uploaded images will be processed by the agent's vision provider).
Install Mechanism
No install spec (instruction-only skill) and the included helper is a local Node script. No network downloads or archive extraction are used by the skill package itself.
Credentials
Only POCKET_LENS_API_KEY is required (primary credential), which is appropriate. SKILL.md and README mention an optional POCKET_LENS_API_URL env var (to change the API base) but that optional var is not listed under required env — this is a minor documentation mismatch. Be cautious not to point POCKET_LENS_API_URL to an untrusted host because the script will send your API key to that URL.
Persistence & Privilege
always is false, the skill does not request persistent system configuration or access to other skills' settings. It only invokes a local helper and makes network calls to the PocketLens API using the provided key.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install pocket-lens
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /pocket-lens 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
PocketLens skill initial release: - Enables uploading and auto-extraction of expense data from images of receipts, card statements, and payment screenshots. - Supports manual transaction entry via natural language, including Korean and English. - Provides tools to check PocketLens connection and API key status. - Allows users to view and list their expense categories. - Delivers spending summaries with category and card breakdowns by month. - Offers card billing details, including payment due dates and unpaid amounts. - Includes clear error messages for common API issues.
元数据
Slug pocket-lens
版本 1.0.0
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

PocketLens 是什么?

Use when user wants to track expenses, scan receipts, upload card payment screenshots, categorize spending, record transactions, check spending summaries, vi... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 588 次。

如何安装 PocketLens?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install pocket-lens」即可一键安装,无需额外配置。

PocketLens 是免费的吗?

是的,PocketLens 完全免费(开源免费),可自由下载、安装和使用。

PocketLens 支持哪些平台?

PocketLens 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 PocketLens?

由 Eden Jeongwoo Hong(@edenjw)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论