lifestack

MarkdownAgent SkillsSafety Infrastructure
GitHub

lifestack is twenty composable markdown skills across three domains — personal finance, social media, and health — with a four-tier permission model, append-only audit trails, context integrity protections, and built-in workflow-optimizer integration for measurable reliability. It works with both OpenClaw and Claude Code, and every skill enforces its permission tier before touching your data.

The project is open source at github.com/yihan2099/lifestack. MIT licensed.

Why I Built It

I wrote The OpenClaw Illusion arguing that personal AI agents have the form factor right and the infrastructure wrong. No permission model. No audit trails. Context compaction that silently drops safety instructions. The Kaspersky audit found 512 vulnerabilities. Cisco called them "a security nightmare." But the scariest part was that OpenClaw's skill system had no concept of permission tiers at all. A read-only portfolio check and a "delete all my emails" command ran with identical privileges.

The Summer Yue incident — a Meta AI security researcher whose agent autonomously deleted 200+ emails after safety instructions were lost to context compaction — demonstrated the baseline failure mode for any agent that touches personal data without guardrails. Life management is where the stakes are highest. An agent that miscategorizes expenses changes your budget decisions. One that posts to LinkedIn without approval damages your professional reputation. One that deletes mood journal entries destroys something irreplaceable.

I wanted to prove that life management skills could be built right, with the safety infrastructure I had been calling for.

The Permission Tier Design

lifestack embeds safety into the skills themselves — no framework, no SDK, no runtime. Twenty markdown files that any capable AI agent can load and follow. The core design principle: safety is not a layer you add on top, it is a constraint baked into each skill's instructions.

Four Tiers

Every skill declares its permission tier in YAML frontmatter:

  • read-only: Can read data and generate reports. Cannot modify anything. Investment watches, weekly reviews, audience insights live here.
  • read-write: Can create and update data files. Every write creates a checkpoint first. Budget updates, expense logging, exercise tracking.
  • approval-required: Requires explicit user confirmation before execution. The agent shows a preview of exactly what it will do, then waits for "yes." Social media cross-posting lives here — because a published post is essentially irreversible.
  • destructive: Double confirmation required. Reserved for operations like deleting a budget or resetting a profile.

This mirrors how every serious system handles permissions — Unix has had file permission tiers since 1971. What was novel is that agent skill systems didn't have them.

Context Integrity

Every lifestack skill begins with a safety preamble marked DO NOT SUMMARIZE, COMPACT, OR REMOVE. This addresses the Summer Yue problem architecturally — safety instructions that must survive context window management. It is the same approach Anthropic recommends for critical instructions in long agent sessions.

Audit Trails and Rollback

Every action — every expense logged, every budget updated, every social post prepared — is appended to .lifestack/audit/YYYY-MM-DD.md. The trail is append-only: skills can add entries, never delete them. Before any write operation, the checkpoint skill snapshots the affected files. If something goes wrong, rollback undo restores the previous state.

Three Domains

Finance covers budgets, expenses, savings goals, and a read-only investment watcher. The investment watcher is deliberately restricted: it can check prices and report portfolio status, but it can never execute trades or modify financial data.

Social media covers content calendars, engagement tracking, and cross-posting. Cross-posting is the only approval-required skill in the social domain — because posting to your Twitter or LinkedIn is one of the few digital actions that is genuinely hard to undo.

Health covers exercise logging, sleep tracking, nutrition, and a mood journal. The mood journal has the strictest privacy constraints of any skill: entries never leave the local machine, are never included in API calls to remote models, and are never shared with other skills unless the user explicitly requests it.

Built-In Measurement

lifestack ships with three workflow-optimizer workflow definitions — test specifications that validate each domain end-to-end. Run measure workflows/finance-budget --runs 5 and you get a concrete success rate, categorized failures, and a baseline for improvement. OpenClaw's skills have no reliability data. lifestack's skills are designed to be measured from day one.

What I Learned

Three gaps I identified but intentionally left unbuilt:

Cross-domain insights require a meta-review skill that reads across finance, health, and social data. The privacy implications are complex — your mood data informing your budget recommendations is useful and also exactly the kind of cross-domain flow that should require explicit opt-in.

Encryption at rest is needed because lifestack stores everything in plaintext markdown. The right approach — agent-accessible encryption that does not require a passphrase every time — remains an open design problem.

Multi-user support is a fundamentally different problem from single-user permission tiers. Family budgets and shared health goals require access control between users, not just between skills and data.

The broader takeaway: agent skills should declare their permission tier, every action should be logged and reversible, safety instructions should be architecturally protected from compaction, and reliability should be measured. None of this is technically hard. It is just consistently skipped in the rush to ship demo-ready agents.