Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
screen-life
v1.0.0macOS 数字生活日报:自动监控你每天在电脑上做什么,生成可读的行为报告。零配置,一键安装,后台静默运行。当用户想看今天用电脑做了什么、分析效率、查看应用使用时长时触发。
⭐ 0· 34·0 current·0 all-time
byvine.xio@vineindalvik
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The README/description says the skill will read app usage, browser history, Obsidian git, Whisper, etc., and run silently in the background. The packaged files only include handler.py and install.sh; there is no daemon.py or explicit Chrome/Safari/history-reading implementation included. install.sh attempts to copy a daemon.py (and handler.py -> report_generator) but daemon.py is missing from the package, so the declared background-monitoring capability is not actually present in the bundle as provided.
Instruction Scope
handler.py reads local logs (~/.orbitos-monitor/*), may load a local .env, and will POST report content to an LLM endpoint if OpenClaw-injected LLM envs exist. The SKILL.md claims '不上传任何内容' (no uploading) which contradicts run_llm_analysis (sends report text to base_url) and push_feishu (posts to FEISHU_WEBHOOK_URL). Feishu webhook env is used but not declared in requires.env. The instructions therefore permit transmitting local activity to external endpoints and also allow reading environment variables or .env files beyond what was documented.
Install Mechanism
There is no formal package install spec, but install.sh will create ~/.orbitos-monitor, write a LaunchAgents plist into ~/Library/LaunchAgents, and attempt to copy scripts into that directory and launch a persistent daemon via launchctl. However, the referenced daemon.py is not included in the package, so the install script is incomplete and may fail or leave a plist pointing to a missing binary. The script writes persistent system files (plist, logs) which is expected for a monitor but is higher-impact than a purely CLI skill.
Credentials
SKILL.md declares reliance on OpenClaw-injected LLM envs (OPENCLAW_LLM_API_KEY, OPENCLAW_LLM_BASE_URL, OPENCLAW_LLM_MODEL) which handler.py uses to send report content to a remote LLM — this is proportionate only if the user understands reports will be transmitted externally. However, the skill also reads a local .env and uses FEISHU_WEBHOOK_URL if present (not declared), meaning it may access and transmit sensitive tokens not listed in requires.env. The privacy statement claiming 'no upload' is contradicted by the code that posts data externally.
Persistence & Privilege
The installer creates a user LaunchAgent plist that RunAtLoad and KeepAlive, so the monitor will persist across logins and run continuously. The skill is not marked always:true in metadata (so it won't be auto-enabled in every agent run), but the install script gives it persistent system presence in the user's account — appropriate for a monitor, but a higher-privilege action that should be explicitly consented to. Combined with the ability to send data externally, this increases sensitivity.
What to consider before installing
Before installing: 1) Do not install or run the install.sh until you inspect the missing files — the package references daemon.py (activity daemon) which is not included; installation may fail or leave a LaunchAgent pointing at a missing script. 2) The privacy claim in SKILL.md is inaccurate: the handler will send report text to an external LLM endpoint (OPENCLAW_LLM_BASE_URL) if OpenClaw injects those env vars, and can post to a FEISHU webhook if FEISHU_WEBHOOK_URL is set. If you want strictly local-only operation, run handler.py with --no-llm and avoid setting any webhook env; still inspect the code for any network calls. 3) The installer writes a LaunchAgents plist and persists a daemon and logs under ~/.orbitos-monitor — review and backup before installing. 4) Check for expected missing components (daemon.py, any browser-history readers) and ask the maintainer for the complete source; the current bundle is incomplete and could be a packaging error or an attempt to mislead. 5) If you lack confidence in the package, prefer running the analysis on a disposable/macOS test account or sandbox, or request the full source and a human code review focusing on the daemon and any code that reads browser history or uploads data.Like a lobster shell, security has layers — review code before you run it.
latestvk97f9yndnrtc7c0js5tcqewvr584q97y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3