screen-life
Security checks across malware telemetry and agentic risk
Overview
This skill fits its activity-reporting purpose, but it installs a persistent monitor, relies on missing or unreviewed daemon code, and can upload private activity reports to an LLM despite claiming data stays local.
Review this carefully before installing. Only use it if you are comfortable with continuous background activity logging, verify the missing daemon code before launching it, and run reports with --no-llm if you do not want activity summaries sent to an external LLM. Also check and delete ~/.orbitos-monitor if you want to remove retained logs.
VirusTotal
67/67 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your app usage, browsing/search summaries, notes activity, or AI-tool activity may be sent to an external LLM service for analysis.
The report content can include private activity data and is posted to a configured LLM provider by default when LLM environment variables are present.
content = report_path.read_text(encoding="utf-8")[:4000] ... _req.post(f"{cfg['base_url']}/chat/completions" ... "content": "请分析这份数字生活日报..." + content)Make LLM analysis explicit opt-in, show the destination provider before sending, and use --no-llm if you want local-only reporting.
A user may install it believing no data leaves the computer, while the default AI report path can transmit report data externally.
This local-only privacy statement is contradicted by handler.py, which posts report content to the configured LLM API for AI insights.
隐私说明: 所有数据仅存储在本地 `~/.orbitos-monitor/`,不上传任何内容。
Correct the privacy statement and clearly disclose exactly what data is sent to the LLM and when.
Installation may fail on a clean system or may run a pre-existing local monitoring script whose behavior was not reviewed here.
The install path references daemon.py/activity_daemon.py, but daemon.py is not present in the provided manifest; if existing scripts are used, the persistent daemon code is outside the reviewed package.
cp "$SKILL_DIR/daemon.py" "$SCRIPTS_DIR/activity_daemon.py" ... <string>$SCRIPTS_DIR/activity_daemon.py</string>
Bundle the daemon source, declare it in the manifest/install spec, or fail safely instead of launching unreviewed scripts from ~/.orbitos-monitor.
Local logs and reports may accumulate detailed records of private computer activity over time.
The skill documents broad collection of sensitive behavioral context, including browsing/search history and AI-tool activity, but does not define retention limits, exclusions, or granular approval controls.
Chrome 历史 | 搜索词、访问网站 | 无(自动) ... Safari 历史 ... Obsidian git ... Cursor 对话 | AI 使用摘要
Add clear controls for included data sources, retention period, exclusions, deletion, and whether summaries may be reused or sent to other services.
The monitor can continue running and recording activity until you stop or uninstall it.
The skill deliberately installs a launchd background daemon that starts at login and is kept alive; this is purpose-aligned but high-impact for a monitoring tool.
<key>RunAtLoad</key><true/> ... <key>KeepAlive</key><true/> ... launchctl load "$PLIST_PATH"
Install only if you want continuous background monitoring; use the provided stop/uninstall commands and inspect ~/.orbitos-monitor for retained data.