nex-life-logger Security Report — Trusted | ClawSafe

5 /100

nex-life-logger

Local activity tracker - browser history, active windows, YouTube transcripts

Legitimate local activity tracker with strong privacy protections - no telemetry, no default API endpoints, OS-native credential storage, and appropriate privacy filters for sensitive content.

Skill Namenex-life-logger

Duration72.7s

Enginepi

✓

Safe to install

No action required. This is a well-designed privacy-focused tool.

Findings 1 items

Severity	Finding	Location
Low	Shell execution capability not formally declared Doc Mismatch SKILL.md implies file writes but does not explicitly mention subprocess usage for service management (systemctl, launchctl, osascript, xdotool). These are legitimate operations for the declared functionality. `Available Commands - Service Management section` → Add explicit documentation: 'Uses subprocess for service management on Linux/macOS and active window detection on Linux (xdotool).'	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	setup.sh creates venv, nex-life-logger.py writes to ~/.life-logger/
Network	`READ`	`WRITE`	✓ Aligned	youtube_transcript.py fetches transcripts; summarizer.py calls LLM API only when…
Shell	`NONE`	`WRITE`	✓ Aligned	subprocess.run used for systemctl, launchctl, osascript, xdotool - all for legit…
Environment	`READ`	`READ`	✓ Aligned	Reads AI_API_KEY, AI_API_BASE from env vars - optional, user-provided
Skill Invoke	`NONE`	`READ`	✓ Aligned	Can invoke itself for service commands

7 findings

🔗

Medium External URL 外部 URL

https://creativecommons.org/licenses/by-nc/4.0/legalcode

LICENSE.txt:26

🔗

Medium External URL 外部 URL

https://nex-ai.be

LICENSE.txt:38

🔗

Medium External URL 外部 URL

https://dashscope-us.aliyuncs.com/compatible-mode/v1

nex-life-logger.py:758

🔗

Medium External URL 外部 URL

https://api.groq.com/openai/v1

nex-life-logger.py:759

🔗

Medium External URL 外部 URL

https://python.org

setup.sh:42

🔗

Medium External URL 外部 URL

http://www.apple.com/DTDs/PropertyList-1.0.dtd

setup.sh:149

📧

Info Email 邮箱地址

[email protected]

LICENSE.txt:37

File Tree

16 files · 125.6 KB · 3609 lines

Python 12f · 3012L Markdown 2f · 352L Shell 1f · 207L Text 1f · 38L

├─ ▾ 📁 lib

│ ├─ 🐍 chat_filter.py Python 38L · 1.1 KB

│ ├─ 🐍 collector_headless.py Python 422L · 13.9 KB

│ ├─ 🐍 config.py Python 90L · 3.2 KB

│ ├─ 🐍 content_filter.py Python 66L · 2.2 KB

│ ├─ 🐍 exporter.py Python 126L · 5.1 KB

│ ├─ 🐍 keyword_extractor.py Python 104L · 3.1 KB

│ ├─ 🐍 secure_key.py Python 166L · 5.4 KB

│ ├─ 🐍 storage.py Python 238L · 7.6 KB

│ ├─ 🐍 summarizer.py Python 319L · 12.0 KB

│ ├─ 🐍 user_filters.py Python 404L · 16.7 KB

│ └─ 🐍 youtube_transcript.py Python 138L · 4.8 KB

├─ 📄 LICENSE.txt Text 38L · 1.2 KB

├─ 🐍 nex-life-logger.py Python 901L · 30.9 KB

├─ 📝 README.md Markdown 128L · 4.9 KB

├─ 🔧 setup.sh Shell 207L · 5.8 KB

└─ 📝 SKILL.md Markdown 224L · 7.7 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`openai`	`>=1.0`	pip	No	Used only when user configures LLM provider
`psutil`	`>=5.9`	pip	No	For active window process detection
`youtube-transcript-api`	`>=0.6`	pip	No	Fetches YouTube transcripts, no data exfiltration

Security Positives

✓ No default LLM API endpoints - requires explicit user configuration

✓ No telemetry, analytics, or data exfiltration

✓ API keys stored using OS-native mechanisms (Windows Credential Manager, DPAPI, chmod 600)

✓ Sensitive windows (password managers, banking) filtered out

✓ Chat/messaging apps filtered out

✓ Only productive content tracked (AI, programming, design)

✓ Temp browser history files securely deleted (overwritten with random data)

✓ Proper file permissions (chmod 700) on data directory

✓ No hardcoded credentials

✓ base64 encoding in secure_key.py is for credential storage fallback, not code obfuscation

✓ All subprocess calls are documented and necessary for the features

Scan Report

Findings 1 items

File Tree

Dependencies 3 items

Security Positives