Latest release: v0.1.3Download zip
Capabilities
Compatibility
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The core purpose is coherent: event, exhibitor, recommendation, personnel lookup, and file-upload workflows fit a Lensmor-style business discovery package. The concern is that some capabilities are high-impact for privacy, especially person-level event attendance history and automatic external storage of generated outputs.
Instruction Scope
Several instructions are under-scoped: broad invocation examples can trigger lookups during ordinary conversation, fallback guidance allows web or model-training-data substitution, and external uploads/lookups lack clear confirmation or disclosure gates.
Install Mechanism
No supplied evidence shows a malicious installer, persistence mechanism, or package-install abuse, and VirusTotal reports no detections. Local inspection could not be completed in this sandbox, so this rests on the supplied telemetry and scanner evidence.
Credentials
External API calls are expected for event discovery, but transmitting company profiles, target-audience text, company names, inferred translations, generated results, and person attendance queries is privacy-relevant and not consistently bounded by user-visible consent.
Persistence & Privilege
The S3-backed file upload behavior can persist generated outputs outside the chat context and is described as mandatory for several core data skills, which is disproportionate without explicit user approval and sensitivity checks.
Scan Findings in Context
[SDI-2] unexpected: Fallback from the declared Lensmor database to live web search or model training data broadens the data-source scope and weakens result integrity; this supports Review rather than benign approval.
[SQP-2] expected: Sending company profile inputs to a recommendation endpoint is aligned with event recommendations, but the missing user-facing disclosure for target audience and profile data creates a material privacy concern.
[SQP-1] unexpected: Generic triggers such as ordinary company-description questions are too broad for an external lookup skill and could cause unexpected API calls.
[SQP-2] expected: Company-name lookup through Lensmor is purpose-aligned, but the lack of explicit disclosure that the queried company name is sent externally is a consent and confidentiality weakness.
[SQP-3] unexpected: Automatically normalizing non-English company names before external lookup can disclose the wrong entity or produce incorrect results unless the user confirms the intended company.
[SQP-2] unexpected: Uploading generated response content to S3-backed storage is the most significant concern because the skill mandates automatic upload for outputs from several data skills without a clear consent gate.
[SQP-2] unexpected: Person-level event attendance retrieval with 'No identity check is needed' lacks privacy and permissible-use guardrails for a people-intelligence workflow.
What to consider before installing
Review this package carefully before installing. It may send company research, target-audience details, inferred company names, generated reports, and person attendance queries to external Lensmor services or S3-backed storage. Install only if that data sharing is acceptable for your organization, and prefer a version that requires explicit confirmation before external lookups, translations, personnel-history queries, or file uploads.Verification
Tags
Lensmor Skills Core
ClawHub-safe Lensmor trade show intelligence skill bundle for OpenClaw, Codex, and Claude-compatible skill hosts.
Included skills
event-discoveryexhibitor-discoveryexhibitor-event-lookuppersonnel-discoverypersonnel-event-lookupaction-bubbleslensmor-fileupload
Package boundaries
This bundle intentionally excludes browser automation, raw Slack API posting, arbitrary local file upload scripts, and credentials. For OpenClaw, install it together with the @lensmor/lensmor-gateway native plugin so lensmor_cli and lensmor_upload_file are available.
ClawHub package shape
This package is intended to be published as a ClawHub bundle-plugin.
Verification
npm pack --dry-run
clawhub package publish . --family bundle-plugin --owner lensmor --dry-run
License
See LICENSE