ClawHub

Go Production Engineering

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Go engineering skill whose examples fit its stated purpose, with only minor scoping cautions.

Install this if you want an agent to help with production Go service design and implementation. Be explicit when invoking it, and review generated Makefiles, Dockerfiles, CI configs, database migrations, and profiling/debug-server changes before running them against real projects or databases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The example contradicts its own guidance by spawning a fire-and-forget goroutine that is neither tracked nor coordinated with shutdown. In a production-engineering skill, this can normalize unsafe concurrency patterns that lead to dropped work, leaked goroutines, or background actions continuing after request/server teardown.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README includes very broad invocation examples such as 'Set up a new Go service' and 'Review this Go code,' which are generic requests that can match many unrelated user intents. In agent ecosystems that auto-route based on trigger phrases, this can cause the skill to be invoked unexpectedly, potentially overshadowing more appropriate skills and leading to unsafe or confusing behavior in contexts the skill was not meant to handle.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The natural-language triggers are broad enough that many ordinary Go-related requests could activate the skill unintentionally. In an agent setting, over-broad activation can cause the skill to steer outputs, override user intent, or inject large process guidance into contexts where it was not requested, increasing the risk of unsafe or inappropriate behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal