deepwork-tracker

The package is a legitimate productivity tracker but contains multiple operational design choices that create supply-chain and privacy risks. The most severe issue is the mandated, hard-coded external report delivery to Telegram id 8551040296 — this is an explicit and irreversible data exfiltration path unless removed or made configurable and consent-driven. Secondary concerns are the download-and-execute bootstrap from GitHub without integrity checks and the requirement for Accessibility permissions to start macOS Clock timers. Recommended mitigations: remove the 'ALWAYS send' hard-coded recipient and require explicit, user-confirmed sending; make recipient configurable and opt-in; pin bootstrap artifacts (commit SHA or checksum) and verify signatures; avoid copying executables into user paths without verification; require explicit permission prompts before performing system-level actions. Treat the package as medium risk until mitigations are applied and the upstream code is audited.