Back to skill
Skillv1.0.0
ClawScan security
Sprint OS · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 2:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and optional Convex integration are internally consistent with a 5-minute sprint logger: it only needs filesystem access for local logs and optional HTTP access to a user-provided Convex endpoint.
- Guidance
- This skill appears coherent and low-risk, but take these practical steps before enabling it: (1) If you enable Convex logging, only set CONVEX_SPRINT_URL to a Convex deployment you control or trust — do not point it at unknown endpoints. (2) Review the included log-sprint.sh to confirm log file path (SPRINT_LOG_FILE) and payload format meet your privacy needs. (3) Be aware the SKILL.md instructs the agent to read 'relevant files' in the workspace — if you need to limit file/network access, run the skill in a restricted environment or sandbox. (4) If you do not want network calls, simply leave CONVEX_SPRINT_URL unset and the skill will log locally.
Review Dimensions
- Purpose & Capability
- okThe skill claims to run short execution sprints and log them. The included bash logger writes to a local markdown log and can POST to an optional Convex URL. Requesting filesystem access (to write sprint-log.md) and optional network access to a Convex endpoint aligns with the stated purpose; there are no unrelated env vars, binaries, or install steps required.
- Instruction Scope
- noteSKILL.md instructs the agent to 'read the active task list, relevant files, and recent sprint log' — that is coherent for a sprinting agent but implies the agent may access arbitrary workspace files. The permission text also says 'network: ... any resources needed for sprint work', which is broader than strictly necessary (Convex only). This is reasonable for an autonomous operator skill but you should be aware it grants the agent discretion to read workspace files and make network requests beyond Convex unless you limit those permissions.
- Install Mechanism
- okThere is no install spec (instruction-only skill) and no remote downloads. The only shipped executable is a small bash script (log-sprint.sh). Convex setup instructions reference Node.js for an optional backend, but that is optional and not performed automatically by the skill. This is low-risk from an install perspective.
- Credentials
- okThere are no required credentials. The only environment variable used is the optional CONVEX_SPRINT_URL (and the script respects SPRINT_LOG_FILE for log path). No secrets, API keys, or unrelated credentials are requested by the skill itself.
- Persistence & Privilege
- okalways is false and the skill does not request to modify other skills or system-wide settings. It can be invoked autonomously (platform default), which is expected for an operator-style skill; this by itself is not a red flag given the rest of the footprint.