Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Undo
v1.0.1File edit time machine for AI agents. Automatically snapshot file changes after every Write, Edit, or Shell operation, and provide undo/revert capabilities t...
⭐ 0· 22·0 current·0 all-time
byxguang@x-guang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the implementation: scripts create snapshots, list history, create checkpoints, undo to commits/timestamps, and run a background watcher. The only declared runtime requirement (node) is consistent with the included Node.js scripts.
Instruction Scope
The scripts copy the entire project (with reasonable ignores like node_modules and .git) into a separate storage location (~/.local/share/undo-skill/repos/<hash>). That behavior is coherent with 'undo' functionality, but it means the skill will read and persist all tracked project files (which can include secrets, credentials, or large binary files). The SKILL.md insists snapshots be run after every Write/Edit/Shell and instructs agents to run the watcher for automatic snapshots; this gives the skill broad file-access behavior by design.
Install Mechanism
There is no external download/install spec in the registry (no remote fetch). All code is included in the skill bundle (Node scripts). However init.js contains logic to attempt to auto-install git by running system package manager commands (apt-get, apk, yum, dnf, pacman, brew, nix-env, pkg). Auto-install attempts are potentially sensitive because they execute system package manager commands and may require elevated privileges; this is understandable (git is needed) but worth flagging before allowing autonomous runs.
Credentials
The skill does not request any external credentials or environment variables beyond optional watcher tuning (UNDO_WATCHER_DEBOUNCE, UNDO_WATCHER_POLL). There are no unrelated secret requests. The main proportionality concern is data scope: the skill copies and stores project files outside the project, which is functionally required but increases confidentiality risk.
Persistence & Privilege
The skill is not always:true. But it includes a watcher script that can run in the background (prints a PID and auto-snapshots) and the SKILL.md encourages automatic snapshotting after every change. If the agent invokes the watcher autonomously, snapshots will be taken over time without explicit per-snapshot user confirmation. Autonomous invocation combined with ongoing local file copies increases blast radius if the skill is allowed to run without review.
What to consider before installing
This skill's code appears to implement a local file snapshot/undo system and is internally consistent with its description, but take these precautions before installing or enabling it: 1) Understand snapshot storage: snapshots are stored under ~/.local/share/undo-skill/repos/ by default — they include project file contents (which may contain secrets). Decide whether that storage location is acceptable. 2) Review and limit what gets tracked: add explicit ignores or avoid initializing projects that contain secrets or large binary data. 3) Disable or control the watcher: the background watcher auto-snapshots and could capture unintended data; prefer manual snapshotting or run watcher only under supervision. 4) Auto-install behavior: init.js will try to run package-manager install commands to install git if missing — this executes system package commands and may require elevated privileges; prefer to preinstall git manually and/or inspect the init script before letting it run. 5) Audit stored snapshots: periodically inspect ~/.local/share/undo-skill/repos/ and remove sensitive snapshots if needed. 6) If you need stronger guarantees, request changes: support for encrypted snapshot storage, confirmation prompts before auto-snapshotting, or an opt-in list of paths to exclude. If you want help producing a minimal checklist of settings to make this safe for your environment, tell me the OS and how you plan to run agents.lib/git.js:74
Shell command execution detected (child_process).
scripts/init.js:27
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk978jmgezjs5qdz6xdcpnnff4s84nafh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⏪ Clawdis
Binsnode