Restore the most recently closed file from history
AI agents use cleanshot_restore_recently_closed to create or update resources in Cleanshot — usually the action step of a workflow, after the agent has gathered context. Every call changes real data in your Cleanshot environment.
This tool recovers a previously closed file, which is a reversible write operation that modifies the system state. While recovery is generally benign, an AI agent could misuse this to restore files a user intentionally deleted or closed, potentially exposing sensitive data or cluttering the system. It's not Destructive because the action is reversible and doesn't permanently delete anything.
From the tool's definition "Restore the most recently closed file from history" - restores/recovers a file that was previously closed, modifying the filesystem state by recovering deleted or closed data
Documented attack patterns abuse exactly the kind of access cleanshot_restore_recently_closed gives an agent:
PolicyLayer is an MCP gateway — it sits between your AI agents and Cleanshot, and nothing reaches the server without passing your rules. This is the rule we recommend for cleanshot_restore_recently_closed:
{
"version": "1",
"default": "deny",
"tools": {
"cleanshot_restore_recently_closed": {
"limits": [
{
"counter": "cleanshot_restore_recently_closed_rate",
"window": "minute",
"max": 30,
"scope": "grant"
}
]
}
}
}cleanshot_restore_recently_closed stays usable, but capped — an agent stuck in a loop can't make hundreds of changes a minute. Everything else on the server is denied unless you say otherwise.
Free to start. No card required.
Restore the most recently closed file from history. It is categorised as a Write tool in the Cleanshot MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.
Register the Cleanshot MCP server in PolicyLayer and add a rule for cleanshot_restore_recently_closed: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Cleanshot. Nothing to install.
cleanshot_restore_recently_closed is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.
Yes. Add a rate_limit block to the cleanshot_restore_recently_closed rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for cleanshot_restore_recently_closed. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
cleanshot_restore_recently_closed is provided by the Cleanshot MCP server (jdorfman/cleanshot-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Start from Cleanshot, add the rest of your stack, and see everything your agents can call. Then put policy on all of it.
Free to start. No card required.
19 Cleanshot tools catalogued and risk-classified — across an index of 43,000+ MCP servers.