Is edenjw/pocket-lens safe?

https://github.com/openclaw/skills/tree/main/skills/edenjw/pocket-lens

80
CAUTION

The PocketLens skill provides legitimate expense tracking functionality but handles highly sensitive financial data that is transmitted to external services. While no malicious behavior was detected during installation, the skill inherently creates privacy and security risks due to the nature of financial data it processes and transmits.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (3)

HIGH Sensitive Financial Data Transmission -40

The skill's core functionality involves extracting sensitive financial information from receipts and card statements (amounts, merchant names, card details, dates) and transmitting this data to an external service at pocketlens.app. This creates significant privacy risks as users' complete spending patterns and financial behavior are exposed to a third-party service.

MEDIUM Executable Script with User Data Processing -25

The skill includes a Node.js script (pocket-lens.mjs) that processes user-controlled JSON data for API interactions. While appearing legitimate, executable scripts always present potential attack vectors if input validation is insufficient.

LOW External Service Dependency Risk -35

The skill creates a dependency on an external service (pocketlens.app) for core functionality. If this service is compromised, becomes malicious, or has data breaches, all user financial data could be at risk. Users have no control over how this external service handles their sensitive information.