Daily Review

The skill's high-level purpose (aggregating personal productivity signals) matches most of the code, but there are multiple incoherences and risky practices — notably hardcoded credentials and a hardwired SSH target — that make this unsafe to install without changes.

This skill aggregates lots of personal data and in its current form is risky to install: 1) It expects many secrets (Google Workspace, Slack, Fireflies, Bird/X cookies) but the registry doesn't declare them — verify what secrets you'll need and store them securely. 2) The script contains hardcoded credentials (an X/Bird auth token and ct0 cookie) and a hardcoded SSH user/host; do NOT run this as-is — those hardcoded values expose credentials and indicate the package may be tailored to a specific person's environment. 3) The script SSHes into a remote Mac and reads the Screen Time database and ActivityWatch on that host; confirm you control/trust that remote machine before allowing SSH or running the script. 4) Before installing: ask the publisher for a version that removes embedded secrets, makes remote host and usernames configurable, and documents exactly which tokens/files are required; review/replace hardcoded tokens; audit any third-party code you will git-clone (bird CLI). 5) If you still want to use it, run it in a sandbox or isolated account, rotate any exposed tokens, and only provide the minimum credentials necessary (prefer short-lived or scoped tokens). Given the hardcoded credentials and hardwired SSH target, treat this package as untrusted until those issues are fixed.