Back to skill
Skillv1.0.0
VirusTotal security
Sprint OS · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:39 AM
- Hash
- 7f6543f8bbf396f5fc1d5db1dcb51aab62abb12192920e8dc9f5e0ae023e0710
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: sprint-os Version: 1.0.0 The skill requests broad 'network' permissions in SKILL.md ('any resources needed for sprint work'), which could be interpreted too broadly by an AI agent. The `scripts/log-sprint.sh` script sends user-controlled data (sprint details) to an external, user-defined `CONVEX_SPRINT_URL`. While this is an intended feature for logging, it represents a data exfiltration vector if the `CONVEX_SPRINT_URL` is compromised or maliciously configured. The script also directly interpolates user-provided arguments into a JSON payload for `curl`, which could be a vulnerability if inputs are not sanitized, though not immediately exploitable for shell injection in this specific `curl -d` context. These are risky capabilities and potential vulnerabilities, but there is no clear evidence of intentional malicious behavior.
- External report
- View on VirusTotal