Lofy
v1.0.0Personal AI chief of staff — a complete life management system for OpenClaw. Proactive morning briefings, evening reviews, weekly reports, fitness tracking, career management, project tracking, smart home control, and brain-inspired memory architecture. Use when setting up a personal AI assistant that manages your entire life through natural conversation across Telegram, WhatsApp, Discord, or any OpenClaw channel.
⭐ 1· 853·1 current·1 all-time
byHarreynish Gowtham@harrey401
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims deep integrations (Google Workspace, Home Assistant, Spotify, browser automation) and continuous life-management responsibilities, but the registry metadata declares no required environment variables or binaries. Templates reference external CLIs/APIs (gog, spogo) and an env var name (HA_TOKEN) for Home Assistant; those capabilities would legitimately require credentials and/or installed CLIs, so the lack of declared requirements is inconsistent.
Instruction Scope
Runtime instructions ask the agent to copy templates into the workspace, read USER.md, SOUL.md, recent daily logs, and in main sessions also MEMORY.md; set up periodic cron jobs / heartbeat polls to scan unread email, calendar events, follow-ups, and deadlines; and autonomously update profile and memory files. The AGENTS.md line 'Don't ask permission. Just do it.' instructs automatic reading of private workspace memory each session. These steps involve persistent reading and writing of highly sensitive personal data and scheduled external actions (email/calendar checks) but do not specify how credentials or consent are handled.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes direct supply-chain risk because nothing is downloaded or executed by default. The security surface is primarily the runtime instructions and the files the skill tells the agent to create/read.
Credentials
No required env vars are declared, yet templates include 'token_env': 'HA_TOKEN' and TOOLS.md mentions account/CLI specifics. The skill's functionality (Gmail, Calendar, Home Assistant, Spotify) normally requires API keys, tokens, or OAuth credentials. The omission of declared credentials is a mismatch: the skill will need sensitive secrets to function, but doesn't declare them or provide secure handling guidance.
Persistence & Privilege
always:false and there is no install-time persistence, but the skill explicitly instructs creating and continually updating workspace files (memory logs, PROFILE, DATA/*.json) and recommends scheduling recurring agent turns (cron / heartbeat). That gives it ongoing access to stored personal data and the ability to schedule autonomous actions; this is expected for a personal assistant but increases long-term privacy exposure and should be gated by user consent and restricted credential handling.
What to consider before installing
This skill purports to manage sensitive personal data (email, calendar, health, home devices) and to run scheduled, autonomous checks, but it does not declare the credentials or binaries it needs (e.g., Gmail/Calendar auth, HA_TOKEN, gog/spogo CLIs). Before installing, verify: 1) how and where you will store API keys/tokens (prefer secret/env management, not plaintext in workspace files), 2) which CLIs or OAuth flows the agent will actually use and whether you must install them, 3) who can access the generated memory files and whether they are encrypted/backed up, 4) whether cron/heartbeat jobs will run with scope you expect, and 5) remove or audit any automatic behaviors that read MEMORY.md or daily logs if you do not want the agent to access those every session. Because the skill will persist and update personal files, only proceed if you trust the author or are prepared to host credentials locally and review all created files and scheduled tasks.Like a lobster shell, security has layers — review code before you run it.
latestvk978r2jj9sqr72c6pyx0z8ryrs80x13y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.