nex-life-logger 安全扫描报告 — 可信 | ClawSafe

5 /100

nex-life-logger

Local activity tracker - browser history, active windows, YouTube transcripts

Legitimate local activity tracker with strong privacy protections - no telemetry, no default API endpoints, OS-native credential storage, and appropriate privacy filters for sensitive content.

技能名称nex-life-logger

分析耗时72.7s

引擎pi

✓

可以安装

No action required. This is a well-designed privacy-focused tool.

安全发现 1 项

严重性	安全发现	位置
低危	Shell execution capability not formally declared 文档欺骗 SKILL.md implies file writes but does not explicitly mention subprocess usage for service management (systemctl, launchctl, osascript, xdotool). These are legitimate operations for the declared functionality. `Available Commands - Service Management section` → Add explicit documentation: 'Uses subprocess for service management on Linux/macOS and active window detection on Linux (xdotool).'	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	setup.sh creates venv, nex-life-logger.py writes to ~/.life-logger/
网络访问	`READ`	`WRITE`	✓ 一致	youtube_transcript.py fetches transcripts; summarizer.py calls LLM API only when…
命令执行	`NONE`	`WRITE`	✓ 一致	subprocess.run used for systemctl, launchctl, osascript, xdotool - all for legit…
环境变量	`READ`	`READ`	✓ 一致	Reads AI_API_KEY, AI_API_BASE from env vars - optional, user-provided
技能调用	`NONE`	`READ`	✓ 一致	Can invoke itself for service commands

7 项发现

🔗

中危外部 URL 外部 URL

https://creativecommons.org/licenses/by-nc/4.0/legalcode

LICENSE.txt:26

🔗

中危外部 URL 外部 URL

https://nex-ai.be

LICENSE.txt:38

🔗

中危外部 URL 外部 URL

https://dashscope-us.aliyuncs.com/compatible-mode/v1

nex-life-logger.py:758

🔗

中危外部 URL 外部 URL

https://api.groq.com/openai/v1

nex-life-logger.py:759

🔗

中危外部 URL 外部 URL

https://python.org

setup.sh:42

🔗

中危外部 URL 外部 URL

http://www.apple.com/DTDs/PropertyList-1.0.dtd

setup.sh:149

📧

提示邮箱邮箱地址

[email protected]

LICENSE.txt:37

目录结构

16 文件 · 125.6 KB · 3609 行

Python 12f · 3012L Markdown 2f · 352L Shell 1f · 207L Text 1f · 38L

├─ ▾ 📁 lib

│ ├─ 🐍 chat_filter.py Python 38L · 1.1 KB

│ ├─ 🐍 collector_headless.py Python 422L · 13.9 KB

│ ├─ 🐍 config.py Python 90L · 3.2 KB

│ ├─ 🐍 content_filter.py Python 66L · 2.2 KB

│ ├─ 🐍 exporter.py Python 126L · 5.1 KB

│ ├─ 🐍 keyword_extractor.py Python 104L · 3.1 KB

│ ├─ 🐍 secure_key.py Python 166L · 5.4 KB

│ ├─ 🐍 storage.py Python 238L · 7.6 KB

│ ├─ 🐍 summarizer.py Python 319L · 12.0 KB

│ ├─ 🐍 user_filters.py Python 404L · 16.7 KB

│ └─ 🐍 youtube_transcript.py Python 138L · 4.8 KB

├─ 📄 LICENSE.txt Text 38L · 1.2 KB

├─ 🐍 nex-life-logger.py Python 901L · 30.9 KB

├─ 📝 README.md Markdown 128L · 4.9 KB

├─ 🔧 setup.sh Shell 207L · 5.8 KB

└─ 📝 SKILL.md Markdown 224L · 7.7 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`openai`	`>=1.0`	pip	否	Used only when user configures LLM provider
`psutil`	`>=5.9`	pip	否	For active window process detection
`youtube-transcript-api`	`>=0.6`	pip	否	Fetches YouTube transcripts, no data exfiltration

安全亮点

✓ No default LLM API endpoints - requires explicit user configuration

✓ No telemetry, analytics, or data exfiltration

✓ API keys stored using OS-native mechanisms (Windows Credential Manager, DPAPI, chmod 600)

✓ Sensitive windows (password managers, banking) filtered out

✓ Chat/messaging apps filtered out

✓ Only productive content tracked (AI, programming, design)

✓ Temp browser history files securely deleted (overwritten with random data)

✓ Proper file permissions (chmod 700) on data directory

✓ No hardcoded credentials

✓ base64 encoding in secure_key.py is for credential storage fallback, not code obfuscation

✓ All subprocess calls are documented and necessary for the features