Sprint OS
ReviewAudited by ClawScan on May 10, 2026.
Overview
Sprint OS is a coherent sprint/logging skill, but it encourages continuous autonomous action and its optional Convex backend is shown without authentication.
Install only if you intentionally want an agent to work in sustained sprint mode. Before use, define a project scope, maximum number of sprints, and approval rules for file changes, publishing, account actions, or external network calls. If you enable Convex, add authentication to the routes and avoid logging sensitive business or personal information.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Once enabled, the agent may keep taking follow-on actions without naturally returning control to the user.
This changes the agent's stopping behavior toward continuous execution, but the artifact does not provide an explicit pause, max-sprint, or user-approval boundary.
### 8. NEXT > Immediately begin the next sprint. ... No gaps. No reflection breaks longer than 30 seconds. Momentum is the goal.
Use only with narrow goals, set a sprint limit or stop condition, and require confirmation before file-changing, account-changing, publishing, or external actions.
The agent could interpret sprint work as permission to contact arbitrary services or resources while pursuing the user's outcome.
The network scope is broader than the disclosed Convex logging use and is paired with autonomous sprint execution, without specific resource or approval limits.
network: Makes HTTP requests to Convex endpoint (optional) and any resources needed for sprint work
Limit allowed domains/resources, document what tools may be used, and require user approval before contacting new services or performing high-impact operations.
If the Convex URL becomes known, others may be able to write, read, or poison sprint, metric, and content history.
The sample Convex HTTP route accepts and stores request bodies without any shown authentication or authorization checks; similar unauthenticated GET routes return sprint/content data.
http.route({ path: "/sprints/log", method: "POST", handler: ... const body = await request.json(); await ctx.runMutation(api.sprints.log, body); ... });Add authentication or a shared secret to all Convex routes, avoid logging sensitive business details, and treat the endpoint URL as sensitive until access controls are added.
Incorrect, stale, or untrusted log entries could influence later sprint choices.
Persistent sprint history is purpose-aligned, but it is reused to guide future work and deduplication decisions.
Sprint history across sessions ... Content deduplication (check before creating) ... Metric trend tracking
Review and clean sprint logs periodically, separate projects, and do not treat persisted entries as authoritative without checking them.
The setup relies on external package provenance and the currently resolved package version.
The optional backend setup depends on third-party npm/npx tooling and does not pin a Convex package version; the steps are user-directed and aligned with the stated purpose.
npm install convex ... npx convex dev --new ... npx convex deploy
Run setup commands in a trusted environment and pin dependency versions if reproducibility or supply-chain control matters.