A VRChat location "stalker/tracker" tool with consent

So this is a bit of an interesting one. The bot is mostly meant for myself, but has features that can be integrated across whoever uses it.

So the idea here that I’ve made is the following. It’s a VRChat stalker… but it stalks your own account. How it works is the following:

When you launch the bot, it logs in with the required 2fa systems as normal. So think 2fa, credentials, etc.

image

Upon proper validation of the account and the ability to use the bot. The bot starts up, and listens to the websocket for any events sent by vrchat. By default, everything is disabled. First up, you as a user need to verify. (The account initially used has to be different from the account you wanna track)

First of all, you verify with your account. This is a non-negotiable requirement.


You either accept a VRChat friend request. Or add a temporary code to your status. For the friend request, the account will send you a friend request you have to accept.

Once accepted you verify the status and proceed with the bot. But now, if I try to enable the location tracking. There is still one issue… I have not yet given consent to the system to track my account(s).

Checking what comes into the websocket, I see “hey, friend location is not allowed to track this user”.
image

This means that if I want to track my location, I have to give consent to that additionally as well.

The system processes if you are still a friend and/or verified. The moment you aren’t friends, all consent is revoked by default and you have to re-grant the consent.
image

The system is made to support more then one account, but only if you verify with each single one of them. If you are verified with an account that you aren’t friends with? Consent is (by default) revoked. As you need to be friends to be tracked (Websocketttsss)

Now, what can this be used for? Lets say I am tracking my own account. I made 2 methods to for example… share a link!
image

One of these, share an unlocked (or locked) link. Both work, it will always prefer the full instance with it’s nonce when given by the user. If it’s not given however, it will default to detecting it from the user. This would only work if the user is on Join Me or Online, and in a public, GPublic, G+ instance. If the user is on Ask me or DND, you need to manually send an invite to the bot to figure out the world. And it will markdown your profile for people to request off of you instead of getting the direct instance link.

This is how it looks when i am connected to a public instance:

However, this is what it’ll say when I go to the same world… in a private instance.
image

The invite gets processed though the websocket (It’s the user responcibility to make sure they can accept invite requests)

Now, instead of sending an link with a full invite. It will send the worldname… But ask of the user to request the invite from the user themselves!
image

This is my take at a consent friendly tracker bot, what do ya’ll think? Any ideas? Any other stuff I could, or should implement?

// Keep in mind, this is a personal project. It’s not meant for public use… but it can be.

I am wondering, how is this… “legality” wise? Does this violate the VRChat TOS? And if so, I’d love to hear improvements to make sure it’s legal.

That seem to work well enough. Personally i would mostly be carefull on the amount of data requested for the tracking but as it’s using websockets you most likely receive push events anyway.

The fact that you are forced to invite the bot makes sense as it’s based on vrc permissions. I’m unsure to see the use of such bot with a seperate account personally, but that’s an interesting tech item.

The seperate account is so it’s not asking YOUR credentials, but rather credentials for a specific account made for 1 specific pourpuse. The bot itself is ignore in any events by default.

That’s a solution indeed. I saw systems like that for events before the group feature was a thing. That’s clever to avoid the login problem. :+1:

Oh yeah, at most there are a few requests made to VRChat dependend on the friend request, username information and that type of stuff. This is the entire process in a gif, one moment.

I might add a “The username of the account has to contain “Bot” before it’ll start” rule or something. In case I decide to release it to the public.