ClawHub

Go Linter Configuration

Security checks across malware telemetry and agentic risk

Overview

This Go linting helper is aligned with its purpose, but its installer can run unverified remote code and modify system tool locations.

Review this skill before installing if your environment is sensitive. Prefer manually installing Go and golangci-lint through a trusted package manager, pinned release, or checksummed artifact instead of allowing the embedded curl-to-sh or /usr/local extraction commands to run automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill metadata includes an install script that downloads a Go tarball via curl and immediately extracts it into /usr/local, and also provides another installer that pipes a remotely fetched script directly into sh. These patterns create supply-chain and arbitrary code execution risk because network content is executed or unpacked with elevated filesystem impact and no integrity verification, pinning by digest, or user warning.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation explicitly recommends piping a remote install script from GitHub directly into sh. If the upstream script, transport, repository, or dependency chain is compromised, users execute attacker-controlled code immediately, and the skill provides no warning or safer alternative in that example.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The CI example executes a remote installation script during workflow runs, which can turn a repository or upstream compromise into automated code execution in CI. In CI contexts this is especially dangerous because runners often have repository tokens, secrets, and publish permissions available to the job.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal