Is edenjw/pocketlens safe?
https://github.com/openclaw/skills/tree/main/skills/edenjw/pocketlens
PocketLens is a legitimately-designed expense tracking skill with a clear and well-documented purpose; its SKILL.md contains no prompt injection attempts, hidden instructions, or malicious directives. However, the primary execution engine — scripts/pocket-lens.mjs — was entirely missed by the audit tool's file-capture glob (which targets *.js but not *.mjs), leaving the actual runtime behaviour of the skill completely unverified despite it being the path through which all API keys and financial data flow. Combined with the skill's access to high-sensitivity personal financial data and a configurable API base URL that could redirect credentials to an arbitrary host, this warrants manual review of the Node.js script before deployment.
Category Scores
Findings (8)
HIGH Primary execution script (pocket-lens.mjs) not audited -35 ▶
The audit tool's file-capture glob pattern included *.js but not *.mjs. The file scripts/pocket-lens.mjs — the sole execution engine for all six skill capabilities — was never read or inspected. Every shell invocation the skill triggers routes through this script. Its actual network destinations, file access patterns, and environment variable reads are completely unknown.
MEDIUM High-sensitivity financial data transmitted to external endpoint -25 ▶
The skill is explicitly designed to POST transaction data (merchant, amount, date, card name), retrieve spending summaries, and fetch card billing amounts from pocketlens.app. While this is the skill's stated purpose, the combination of unverified script execution and external financial data transmission creates a meaningful exfiltration surface.
MEDIUM API base URL override allows credential and data redirection -10 ▶
The optional POCKET_LENS_API_URL environment variable overrides the API base URL for all requests. If an attacker can set this variable (e.g., via a malicious .env file, another skill, or social engineering), every API call including the Authorization: Bearer header is redirected to an attacker-controlled server, leaking both the API key and all financial data.
MEDIUM Shell command injection risk via OCR-derived merchant names -10 ▶
The create-transaction command passes a JSON string as a shell argument: node pocket-lens.mjs create-transaction '<JSON>'. Transaction JSON is populated from OCR-extracted receipt text. A crafted receipt image with a merchant name containing shell metacharacters (single quotes, semicolons, backticks, $()) could break out of the argument context if the agent constructs the command via string interpolation rather than argument arrays.
LOW Persona assumption instruction in SKILL.md -5 ▶
The skill opens with 'You are an assistant that helps users record financial transactions to PocketLens', which instructs the hosting agent to partially adopt a specific identity scoped to PocketLens operations. This is standard for skill design but creates a mild persona override.
LOW verify-connection exposes user PII to agent context -10 ▶
The verify-connection command retrieves the user's name and email from /api/external/me and instructs the agent to display them. This PII enters the agent's context window and could be retained, logged, or propagated to other skills.
INFO Clean installation — no unexpected processes or connections 0 ▶
The git sparse-checkout clone contacted only GitHub and Ubuntu CDN servers. No unexpected processes were spawned. No filesystem changes occurred outside the skill install directory.
INFO All honeypot canary files intact 0 ▶
Canary file accesses observed in inotifywait and auditd logs at timestamps 1771906726 and 1771906749 correspond to the oathe audit harness performing its own setup and post-install integrity checks, not to any skill process. No canary content was modified or exfiltrated.