ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Palest Ink - Activity Tracker

v0.1.0

Track and recall your daily activities including git commits, web browsing, shell commands, and VS Code edits. Use this skill whenever the user asks about th...

0· 389·0 current·0 all-time
by@billhandsome52
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (activity tracker) aligns with the included code: collectors for git, Chrome/Safari, shell history, VS Code, app focus, and file changes, plus reporting/query scripts. These capabilities legitimately require access to local history files, repos, and an installer that sets up background collection. However, the skill is invasive by design (reads browser DBs, shell histories, scans repos, fetches page contents) and the registry metadata did not declare required config paths or permissions (e.g., Full Disk Access/Accessibility on macOS), which is an important omission to surface to users.
Instruction Scope
SKILL.md instructions are scoped to checking installation, running local Python reporting/query/status scripts, and falling back to grepping the skill's own JSONL data files. The docs instruct the user to run collectors/install.sh to enable automatic tracking. The instructions themselves do not tell the agent to read arbitrary system files, but the collectors the installer deploys do read many sensitive local artifacts (browser DBs, ~/.zsh_history, tracked repos). That behavior is coherent with the stated purpose but is privacy-sensitive.
!
Install Mechanism
There is no install spec in the registry, but the package contains an install.sh that (per README) will create ~/.palest-ink, install global git hooks, and install a launchd agent that runs every 15 seconds. Those installer actions modify user-level system configuration (background agents, global git hooks). Although self-contained (no external downloads shown), this is a high-impact install step and should be inspected before running.
!
Credentials
The skill requests no environment variables in registry metadata, but the code reads many sensitive local resources (Chrome/Safari history DBs, shell history files, tracked repos, VS Code state) and requires macOS permissions (Full Disk Access, Accessibility) to function fully. That level of access is proportionate to an always-on activity monitor but is highly sensitive; the lack of declared required config/permission fields in metadata makes this mismatch noteworthy.
!
Persistence & Privilege
The installer creates a persistent background collector (launchd agent every 15s) and installs global git hooks; this gives the skill long-lived monitoring capabilities and a wide blast radius if misused. The skill is not marked always:true in registry (good), but the persistent agent and hooks are inherent privileges and should be reviewed carefully.
What to consider before installing
This skill is coherent with an activity-tracking purpose, but it is invasive and persistent. Before installing: (1) Review collectors/install.sh and collectors/uninstall.sh to see exactly what files/plists and git hooks will be written and how to remove them. (2) Inspect any launchd plist the installer creates and confirm it runs only as your user (not root) and what command it runs. (3) Review the git_hook.sh content to ensure hooks don’t leak data or run unwanted commands. (4) Be aware the collectors read browser history DBs, shell histories, and repo contents and will fetch page content for visited URLs (collect_content.py uses urlopen). Although the package claims data stays local, these operations access sensitive data—consider installing only on a throwaway account/VM or after auditing the scripts. (5) Confirm the uninstall path works and that config/data are stored under ~/.palest-ink and not elsewhere. (6) If you’re uncomfortable with continuous monitoring or granting Full Disk Access/Accessibility, do not install. If you need help, ask for a line-by-line review of install.sh, the launchd plist, and the git hook scripts before running them.

Like a lobster shell, security has layers — review code before you run it.

latestvk970m1bzz0khn3td9ewsggbx1h828sec
389downloads
0stars
2versions
Updated 8h ago
v0.1.0
MIT-0
@billhandsome52
latest
Download

Palest Ink (淡墨) — Activity Tracker & Daily Reporter

好记性不如烂笔头 — The faintest ink is better than the strongest memory.

Overview

Palest Ink tracks the user's daily activities automatically:

  • Git operations: commits, pushes, pulls, branch switches
  • Web browsing: Chrome & Safari history with page content summaries
  • Shell commands: zsh/bash command history with execution duration
  • VS Code edits: recently opened/edited files
  • App focus: which application is in the foreground, with time duration
  • File changes: files modified in watched directories

All data is stored locally at ~/.palest-ink/data/YYYY/MM/DD.jsonl.

Setup Check

Before answering any query, first check if Palest Ink is installed:

test -f ~/.palest-ink/config.json && echo "INSTALLED" || echo "NOT_INSTALLED"

If NOT installed, tell the user:

Palest Ink is not yet set up. To install, run:

bash <SKILL_PATH>/../../collectors/install.sh

This will set up automatic tracking of git, browsing, and shell activity.

Then stop and wait for the user to install.

Answering Queries

Daily Report / "What did I do today?"

Run the report generator:

python3 <SKILL_PATH>/scripts/report.py --date today

For yesterday: --date yesterday For a specific date: --date 2026-03-03 For the whole week: --week

Read the output and present it conversationally to the user. Highlight notable patterns (focused work sessions, frequent topics, etc).

Searching for Specific Activities

Use the query tool to search activity records:

python3 <SKILL_PATH>/scripts/query.py --date today --type git_commit --search "plugin"

Common query patterns:

User asks about...Arguments
A git commit--type git_commit --search "keyword"
A webpage about X--type web_visit --search-content "keyword"
Shell commands--type shell_command --search "keyword"
VS Code files--type vscode_edit --search "keyword"
App focus / screen time--type app_focus --summary
File changes in project--type file_change --search "project"
Everything today--date today --summary
Date range--from 2026-03-01 --to 2026-03-07

Important: When the user searches for web page content (e.g., "which website talked about homebrew"), use --search-content instead of --search. This searches within page content summaries and keywords, not just URLs and titles.

Status Check

Show collector status and data statistics:

python3 <SKILL_PATH>/scripts/status.py

If the output contains "CLEANUP RECOMMENDED", proactively tell the user:

"Your palest-ink data is approaching 2 GB. Would you like me to clean up older records?"

If the user agrees, first show a dry-run preview:

python3 ~/.palest-ink/bin/cleanup.py --dry-run

Present the preview (how many files, date range, records count, space to free). Then ask for explicit confirmation before actually deleting:

python3 ~/.palest-ink/bin/cleanup.py --force

Options:

  • --max-size N — threshold in GB (default: 2.0)
  • --keep-days N — always keep the most recent N days (default: 30)
  • --dry-run — preview only, no changes
  • --force — skip the interactive prompt (use after user confirms in chat)

Fallback: Direct File Reading

If scripts fail or for simple lookups, read the JSONL files directly:

  1. Construct the file path: ~/.palest-ink/data/YYYY/MM/DD.jsonl
  2. Use Grep to search: grep "keyword" ~/.palest-ink/data/2026/03/03.jsonl
  3. Each line is a JSON object with fields: ts, type, source, data

Data Schema

Activity Types

  • git_commit — data: repo, branch, hash, message, files_changed, insertions, deletions
  • git_push — data: repo, branch, remote, remote_url
  • git_pull — data: repo, branch, is_squash
  • git_checkout — data: repo, from_ref, to_branch
  • web_visit — data: url, title, visit_duration_seconds, browser, content_summary, content_keywords
  • shell_command — data: command, duration_seconds (null if not available)
  • vscode_edit — data: file_path, workspace, language
  • app_focus — data: app_name, window_title, duration_seconds
  • file_change — data: path, workspace, language, event

Web Visit Content

Web visits include a content_summary field (up to 800 chars of page text) and content_keywords (extracted keywords). This enables content-based search.

Example: if user browsed a page about "Homebrew installation guide", the content_summary will contain the actual page text, making it searchable even if the URL/title don't mention it.

Tips for Good Answers

  1. When showing git activity, include the commit message and changed files
  2. When showing web visits, include both the title and a brief content summary
  3. For "what did I do" questions, give a narrative summary, not just raw data
  4. Group related activities together (e.g., "You worked on project X, making 5 commits...")
  5. If the search returns too many results, help the user narrow down
  6. Mention the time of activities to give temporal context

Comments

Loading comments...