{"slug": "agent-activity-user-activity-recon-toolkit", "title": "Agent Activity: User Activity Recon Toolkit", "summary": "Agent Activity is an open-source monitoring platform that combines a Python endpoint agent, FastAPI backend, and Angular dashboard to collect and display system activity from registered desktop machines. The tool can capture sensitive data including keyboard events, clipboard contents, screenshots, and file contents, with operators able to view online status, host details, system metrics, and command results through a single interface. The platform's developers warn it should only be used on machines where monitoring is authorized and disclosed, noting the agent could be used as malware.", "body_md": "Agent Activity is a monitoring platform for registered desktop machines. It combines a Python endpoint agent, a FastAPI backend, and an Angular dashboard so system activity can be collected, organized, and reviewed from one place.\n\nAt a high level, each enrolled machine identifies itself to the backend, keeps sending health data, and checks whether there is any pending work to execute. The dashboard turns that stream of information into an operator console: online status, host details, system metrics, screenshots, activity logs, and command results are all available through a single interface.\n\nCaution\n\nAgent Activity can collect sensitive information, including keyboard events, clipboard contents, screenshots, process data, and selected file contents. Use it only on machines where monitoring is authorized, disclosed, and appropriate. SO BE CAREFUL, THE AGENT COULD BE USE AS A MALWARE!\n\nAgents register with machine details such as hostname, operating system, IP address, MAC address, CPU information, and core count. Each agent sends regular heartbeat metrics, allowing the backend to keep track of which machines are online and which have gone quiet.\n\nThe dashboard uses that information to present a live fleet view. Operators can search agents, filter by operating system or status, open an individual agent, and quickly understand when it was last seen.\n\nOn supported desktop platforms, the agent can collect keyboard activity and group typed input into structured events. Those events are buffered locally, written as JSON Lines, and periodically sent to the backend for review.\n\nThe backend stores keylog events with timestamps, application context, event type, and value. From the dashboard, operators can inspect keylog history, filter it, and download it when needed.\n\nThe agent can monitor clipboard changes and capture text content that passes configured length checks. Like keylogs, clipboard events are buffered, persisted locally, and sent to the backend in batches.\n\nThis makes it possible to review copied text alongside the application that was active when the clipboard changed. Because clipboard data is often highly sensitive, this feature should be enabled and used with particular care.\n\nThe screenshot service captures the desktop at a configured interval, compresses the image, stores it locally, and uploads it to the backend. The agent also removes old local screenshots once the configured maximum count is reached.\n\nThe backend stores screenshot metadata and serves the image files to the dashboard. Operators can browse screenshots per agent, open individual captures, delete old captures, or download all screenshots for an agent as a ZIP archive.\n\nEvery heartbeat includes system information such as CPU usage, memory usage, disk usage, network counters, upload and download speed estimates, uptime, process count, battery state, and current active application.\n\nThese metrics are stored as time-series records and shown in the dashboard so an operator can see how a machine is behaving over time, not only whether it is online.\n\nThe backend can queue commands for an online agent. The agent polls for pending commands, runs the matching handler, and reports the result back with a final status.\n\nCurrently supported commands are intentionally small and inspect-oriented: `filesystem.list_directory`\n\n, `filesystem.read_file`\n\n, and `processes.list_processes`\n\n. This keeps the command channel useful while limiting the command surface.\n\nStart the backend first:\n\n```\ncd backend\npython -m venv venv\nsource venv/bin/activate\npip install --upgrade pip\npip install -r requirements.txt\nalembic upgrade head\npython -m app.main\n```\n\nThen start the dashboard:\n\n```\ncd frontend\nnpm install\nnpm start\n```\n\nFinally, start an agent from a machine that can reach the backend:\n\n```\ncd agent\npython -m venv venv\nsource venv/bin/activate\npip install --upgrade pip\npip install -r requirements.txt\npython main.py\n```\n\nOn Windows, activate Python virtual environments with `venv\\Scripts\\activate`\n\n.\n\nThe agent can be packaged with PyInstaller for each supported operating system. Linux packaging installs a `systemd`\n\nservice, macOS packaging creates a menu bar app and DMG, and Windows packaging creates a tray application.", "url": "https://wpnews.pro/news/agent-activity-user-activity-recon-toolkit", "canonical_source": "https://github.com/RafaGomezGuillen/agent-activity", "published_at": "2026-05-26 07:57:15+00:00", "updated_at": "2026-05-26 08:11:34.917473+00:00", "lang": "en", "topics": ["ai-agents", "ai-tools", "ai-products", "ai-infrastructure", "ai-ethics"], "entities": ["Agent Activity", "FastAPI", "Angular"], "alternates": {"html": "https://wpnews.pro/news/agent-activity-user-activity-recon-toolkit", "markdown": "https://wpnews.pro/news/agent-activity-user-activity-recon-toolkit.md", "text": "https://wpnews.pro/news/agent-activity-user-activity-recon-toolkit.txt", "jsonld": "https://wpnews.pro/news/agent-activity-user-activity-recon-toolkit.jsonld"}}