Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Algernon Sprint
v1.0.0Timed interleaved study sprint for OpenAlgernon. Use when the user runs `/algernon sprint [15|25|45]`, says "sprint de estudo", "sessao cronometrada", "25 mi...
⭐ 0· 95·0 current·0 all-time
byAntonio V. Franco@antoniovfranco
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to run timed interleaved study sprints (reasonable), but the SKILL.md hard-codes DB=/home/antonio/.../vestibular.db and uses sqlite3 queries against that file. A general-purpose 'sprint' skill should not assume a specific user's filesystem path or require direct access to an undeclared local DB. The required schema (cards, card_state, materials, etc.) is also assumed but not documented in metadata.
Instruction Scope
The instructions tell the agent to run sqlite3 against a local DB, select and shuffle cards, run FSRS scheduling, and append results to 'today's conversation log' — actions that read and write local data and rely on an unspecified conversation-log location. The SKILL.md uses an environment variable DB but the skill metadata lists no required env vars or config paths. These are concrete scope mismatches and could cause the agent to access unintended local files or fail silently.
Install Mechanism
There is no install spec and no code files; this is instruction-only, so nothing will be written to disk by an installer. That lowers the installation risk compared with downloadable code.
Credentials
The runtime text defines DB as a path and uses it, but the skill declares no required environment variables or config paths. The skill therefore implicitly requires read/write access to a specific local file and to whatever location is used for the conversation log, which is disproportionate and undocumented.
Persistence & Privilege
The skill does not request always:true and has no special persistence or elevated platform privileges in the provided metadata.
What to consider before installing
Do not install or run this skill without verification. The SKILL.md uses a hard-coded user path (DB=/home/antonio/...) and runs sqlite3 queries against it but the skill metadata declares no required config or env variables — this mismatch means the skill will try to read a local database (possibly containing private study data) and write to an unspecified conversation log. Before installing: 1) Ask the maintainer to remove hard-coded paths and add a documented config option for the DB path (or declare required env vars and permissions). 2) Confirm where the 'conversation log' is written and whether network access or external endpoints are involved. 3) If you want to test, make a copy of your DB and run the skill in a sandboxed environment. 4) Prefer a version that requires explicit user configuration (path or env var) rather than using a baked-in user path. If you cannot verify these points, treat the skill as potentially able to read sensitive local files and avoid installing it.Like a lobster shell, security has layers — review code before you run it.
latestvk97c6x847ng5xnvk6xybnhc6hx832ca0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.