Track computer activity (browser history, active windows, YouTube videos) locally and query it with AI. All activity data stays on your machine. LLM features...
Security Analysis
medium confidenceThe skill's code, instructions, and requirements are consistent with a local activity-tracking tool that installs a user-level background collector and offers optional LLM features; nothing in the bundle looks intentionally deceptive, but it is privacy-sensitive and installs a persistent service when you run setup.sh.
Name/description (local activity logger: browser history, active windows, YouTube transcripts) match the code and CLI commands. Required binary is only python3 which is appropriate. The files show logic to read browser history, active window, extract keywords, store to a local SQLite DB, and optionally call an LLM for summaries — all coherent with the stated purpose.
SKILL.md tells the agent/user to run setup.sh to initialize a local DB, install dependencies, and start a background collector. The collector code reads browser history files, active window titles/processes, and will fetch YouTube transcripts (network) by default. The project includes filters for chat/sensitive windows, but the collector still touches many local artifacts (browser DBs, window titles). These actions are within the stated scope but are privacy-sensitive and should be explicitly acknowledged by users before running.
No marketplace install spec is declared (instruction-only), but a setup.sh installer is included which creates a venv, pip-installs packages from PyPI (openai, psutil, youtube-transcript-api), writes a wrapper into ~/.local/bin, and installs a user-level systemd/LaunchAgent service that starts the collector. The installer does not download arbitrary archives or use suspicious URLs; it uses PyPI and creates service files under user home. Creating a persistent per-user service is expected for this tool but is a meaningful system change.
The registry declares no required env vars and the bundle does not require unrelated credentials. LLM-related credentials are optional: AI_API_KEY and related settings are read only if the user configures them; secure_key implements OS keystore and a file fallback. Installing the openai client by default is unnecessary until the user configures LLM use, but not incoherent. The secure_key fallback writes a base64-encoded file and relies on file permissions for security — users should review that behavior if they store secrets locally.
The installer (setup.sh) creates and enables a background collector service (systemd user unit or macOS LaunchAgent) and starts it automatically. While this requires the user to run setup.sh, it results in a persistent background process that collects browser history and active-window events on every machine login. That persistence is a significant privilege and a privacy surface — users should only run setup.sh after reviewing the service and code.
Guidance
This package appears to be what it says: a local activity logger that collects browser history, active windows, and YouTube transcripts and stores them in ~/.life-logger. Before installing or running setup.sh: 1) Review setup.sh and the generated systemd/LaunchAgent file — setup.sh will create a per-user service and start it automatically. 2) Inspect collector_headless.py and summarizer.py (LLM code) if you want to be sure no unexpected endpoints are contacted; transcripts are fetched from YouTube by default. 3) If you do not want network requests, set FETCH_TRANSCRIPTS = False in lib/config.py and do not configure an LLM provider (do not run config set-api-key). 4) Be aware data is stored locally in ~/.life-logger; exports (JSON/CSV/HTML) create files containing sensitive history — protect or delete them. 5) The secure_key fallback may store your API key in a base64 file protected by file permissions; if you rely on strong OS credential stores, verify that those code paths run on your OS. 6) If you have any concerns about persistent collectors, run the collector once (collector_headless.py --once) for testing rather than enabling the service, and audit the service entry before enabling. If you want higher assurance, request the missing code portions (summarizer/export network calls) or run the code in a controlled environment first.
Latest Release
v1.1.0
nex-life-logger 1.0.6 – No code or documentation changes detected. - No files were modified in this release. - Functionality and documentation remain unchanged from the previous version.
More by @nexaiguy
Published by @nexaiguy on ClawHub
