ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sprint OS

v1.0.0

5-minute sprint operating system for AI agents. Autonomous execution cycles: ASSESS → PLAN → SCOPE → EXECUTE → MEASURE → ADAPT → LOG → NEXT. Includes optiona...

0· 364·0 current·0 all-time
byBatsirai Chada@batsirai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to run short execution sprints and log them. The included bash logger writes to a local markdown log and can POST to an optional Convex URL. Requesting filesystem access (to write sprint-log.md) and optional network access to a Convex endpoint aligns with the stated purpose; there are no unrelated env vars, binaries, or install steps required.
Instruction Scope
SKILL.md instructs the agent to 'read the active task list, relevant files, and recent sprint log' — that is coherent for a sprinting agent but implies the agent may access arbitrary workspace files. The permission text also says 'network: ... any resources needed for sprint work', which is broader than strictly necessary (Convex only). This is reasonable for an autonomous operator skill but you should be aware it grants the agent discretion to read workspace files and make network requests beyond Convex unless you limit those permissions.
Install Mechanism
There is no install spec (instruction-only skill) and no remote downloads. The only shipped executable is a small bash script (log-sprint.sh). Convex setup instructions reference Node.js for an optional backend, but that is optional and not performed automatically by the skill. This is low-risk from an install perspective.
Credentials
There are no required credentials. The only environment variable used is the optional CONVEX_SPRINT_URL (and the script respects SPRINT_LOG_FILE for log path). No secrets, API keys, or unrelated credentials are requested by the skill itself.
Persistence & Privilege
always is false and the skill does not request to modify other skills or system-wide settings. It can be invoked autonomously (platform default), which is expected for an operator-style skill; this by itself is not a red flag given the rest of the footprint.
Assessment
This skill appears coherent and low-risk, but take these practical steps before enabling it: (1) If you enable Convex logging, only set CONVEX_SPRINT_URL to a Convex deployment you control or trust — do not point it at unknown endpoints. (2) Review the included log-sprint.sh to confirm log file path (SPRINT_LOG_FILE) and payload format meet your privacy needs. (3) Be aware the SKILL.md instructs the agent to read 'relevant files' in the workspace — if you need to limit file/network access, run the skill in a restricted environment or sandbox. (4) If you do not want network calls, simply leave CONVEX_SPRINT_URL unset and the skill will log locally.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c7fg83arzfmqzqhxxmj0xrd81zb37

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments