Veadk Go Skills
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated agent that uses these callbacks could change instructions, skip model calls, or alter outputs before the user sees them.
The callback documentation shows generated agents can intercept model calls and modify system instructions. This is a legitimate framework capability, but it can materially change agent behavior if included without clear intent.
BeforeModelCallback ... If it returns non-nil LLMResponse or error, the actual model call is skipped ... req.Config.SystemInstruction.Parts[0].Text = prefix + req.Config.SystemInstruction.Parts[0].Text
Only include model/tool callbacks when the user asks for them or they are clearly needed; document what they change and review generated callback code before running it.
If the generated agent is run, it may use the user's API key and incur cost or access model-provider resources.
The conversion examples show generated code using model-provider credentials from the environment. This is expected for LLM agent code, but it grants access to the user's provider account and quota.
ModelAPIKey: os.Getenv("OPENAI_API_KEY")Use scoped environment variables or secret managers, avoid hardcoding real keys, and review generated code for where credentials are read and sent.
Generated agents using this pattern may persist documents or context in a cloud knowledge base, and that stored content can influence later responses.
The knowledge-base example can create a persistent backend index and use an object-storage bucket for agent context. This is purpose-aligned for knowledge-base agents, but it affects data storage and future retrieval.
CreateIfNotExist: true, // 当 Index 不存在时会自动创建 ... TosConfig: &ve_tos.Config{ Bucket: "..." }Configure explicit indexes and buckets, review what data is stored, set retention/access controls, and avoid putting sensitive data into a knowledge base unless intended.