Pretty cool! Some questions about security, because the Github and website make a lot of claims about being fully "secure" by default:
1) What exactly does "encrypted" protect against if there's no passphrase being used? The key sits in IndexedDB right alongside the encrypted data.
2) Why can Claude POST any data it wants to any URL on the internet without any user confirmation?
3)Why is the Telegram bot token stored in plaintext when the Anthropic is protected by AES256? Telegram bot token isn't as sensitive, or what?
4) The javascript tool runs eval() in a Worker that has fetch(), so doesn't that make any fetch_url restriction pointless? The javascript tool can just do the fetch it wants inside of the eval.
how does the cron jobs work? Like if you add a PWA on the phone and set cron job tasks, how does it know to execute if the PWA is not open at the time?
Thanks! Currently the scheduler runs on the main thread. It checks every 60s and fires due tasks while the app is open. So it works well for recurring prompts during active use, but won't fire if the PWA is closed since browsers don't support persistent background timers. Periodic Background Sync is the closest web API but it's Chrome-only with no timing guarantees, so for now pinning the tab is the reliable path.
Pretty cool! Some questions about security, because the Github and website make a lot of claims about being fully "secure" by default:
1) What exactly does "encrypted" protect against if there's no passphrase being used? The key sits in IndexedDB right alongside the encrypted data.
2) Why can Claude POST any data it wants to any URL on the internet without any user confirmation?
3)Why is the Telegram bot token stored in plaintext when the Anthropic is protected by AES256? Telegram bot token isn't as sensitive, or what?
4) The javascript tool runs eval() in a Worker that has fetch(), so doesn't that make any fetch_url restriction pointless? The javascript tool can just do the fetch it wants inside of the eval.
This is really interesting
how does the cron jobs work? Like if you add a PWA on the phone and set cron job tasks, how does it know to execute if the PWA is not open at the time?
Thanks! Currently the scheduler runs on the main thread. It checks every 60s and fires due tasks while the app is open. So it works well for recurring prompts during active use, but won't fire if the PWA is closed since browsers don't support persistent background timers. Periodic Background Sync is the closest web API but it's Chrome-only with no timing guarantees, so for now pinning the tab is the reliable path.