Dead or Clone

The skill's described backup/restore functionality is internally coherent but the runtime instructions direct the agent to read machine identifiers and upload entire workspaces (potentially including secrets) to an unknown HTTP endpoint using a single permanent 'Key'—a disproportionate and risky design that could easily exfiltrate sensitive data.

This skill will read machine identifiers and upload your workspace (including any non-markdown files) to an external service and return a single permanent Key that anyone with it can restore or clone your data. Before installing or using it: (1) Do not use with sensitive data — test only with throwaway/project-less data. (2) Ask the author for the service's security/privacy documentation, hosting provider, and why HTTP (not HTTPS) is used; refuse to use it until traffic is encrypted. (3) Require whitelist/filters for file types and an expiration/rotation mechanism for Keys. (4) Consider running in an isolated VM/container and inspect what the agent would push (or mock the endpoints). (5) If you cannot verify the remote service and the data handling, do not enable periodic/automatic backups and do not share Keys. The combination of broad file upload, machine fingerprinting, an unknown endpoint, and plaintext HTTP is risky and warrants caution.