ClawHub

Undo

Security checks across malware telemetry and agentic risk

Overview

This undo skill is purpose-aligned, but it can copy whole projects into persistent history, run a background watcher, automatically install Git, and overwrite files without a clear confirmation step.

Install only if you want project-wide file history and are comfortable with local copies being retained outside the project. Preinstall Git yourself, avoid running this over projects containing secrets unless you add exclusions, start the watcher only deliberately, and require a manual review before any undo operation that overwrites files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill claims to provide undo/history, but the documented behavior expands into package-manager based software installation and a persistent background watcher. Those side effects materially exceed user expectations for an undo tool and could change the host system or keep monitoring files after the immediate task, creating unauthorized system modification and persistence risks.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script exceeds its stated file-tracking purpose by attempting to modify the host system and install packages automatically. This is dangerous because running package-manager commands changes the environment, may require elevated privileges, and can have side effects in developer machines, CI runners, or containers without explicit user approval.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly advertises a background watcher that monitors file changes and automatic snapshotting of modifications, but it does not clearly warn users that project contents may be continuously observed and stored outside the project directory. In an agent context, this can create privacy and data-retention risks because sensitive source code, secrets, or proprietary files may be copied into persistent history without informed user consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation phrases include generic terms like 'undo', 'revert', 'go back', 'restore', and 'show history', which are common in ordinary conversation and many unrelated workflows. This makes accidental invocation likely, and because the skill can reset project state or launch tracking behavior, an unintended trigger could cause destructive or privacy-impacting actions without clear user consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The notes explain that undo force-pushes state in an external repo and that a watcher can run continuously, but the user-facing description does not prominently warn that undo may forcibly reset working state and that background monitoring may continue independently. This missing disclosure increases the chance users enable the skill without understanding destructive rollback and persistence implications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The undo paths perform destructive rollback by resetting the worktree, copying reverted files back into the project, and force-pushing updated history without any confirmation or explicit safety gate. In an agent setting, a mistaken or ambiguous 'undo' request can silently overwrite current files and delete newer content, causing data loss even if the feature is intended.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Initialization copies the project's files into an internal tracking repository under the user's data directory without any in-band disclosure or consent mechanism. Because this skill is designed for autonomous agent use and may auto-activate on broad phrases like 'track changes' or 'undo', users may not realize sensitive project contents are being duplicated and retained outside the project tree.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The API documents a background watcher that continuously monitors project files and automatically creates snapshots in external storage, but it does not require an explicit warning or consent flow about persistent file capture. In an agent context, this can silently retain sensitive source code, secrets, or proprietary data beyond the project directory, increasing privacy and data-handling risk if users do not realize ongoing monitoring is active.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
When git is not found, the script immediately invokes package-manager installation attempts without warning or confirmation. In an agent context, this is especially risky because the agent may trigger host changes autonomously, violating least surprise and potentially altering production, shared, or ephemeral environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal