Skillv0.1.0

ClawScan security

Go Security Vulnerability · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 8:45 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions match its stated purpose (running govulncheck and remediating Go module vulnerabilities), but the included install script (curl | tar -> /usr/local) and automated dependency-update guidance warrant cautious review before running.
Guidance: This skill is coherent with its purpose, but review and control any install steps before running. Specifically: 1) Do not run the curl | tar install blindly — prefer installing Go via your OS package manager, an official installer you verify, or run the script in a controlled environment; the script writes to /usr/local and may require root and can overwrite an existing Go install. 2) When applying fixes (go get -u, go mod edit -replace), work on a branch, run go build/tests and CI, and review diff/commit history — updating dependencies can break behavior. 3) Because the skill is instruction-only, there's no code to audit beyond SKILL.md; if you plan to let an agent execute these steps autonomously, ensure it runs in a sandboxed or CI environment and that you review any network downloads. 4) If you prefer lower risk, pre-install a vetted Go toolchain yourself and only allow the skill to run govulncheck and suggest remediation commands for manual approval.

Review Dimensions

Purpose & Capability: okName/description (Go vulnerability scanning & fixes) align with required binaries (go) and the SKILL.md instructions (install and run govulncheck, update go.mod, run go build/test). Requested capabilities are coherent with the stated purpose.
Instruction Scope: noteInstructions are focused on scanning (govulncheck), determining impacted packages, and remediation (go get -u, go mod edit -replace, go mod tidy). They explicitly modify project files (go.mod) and pull code from public module sources — this is expected, but the skill's guidance to update to latest versions can break builds if not tested; the SKILL.md sensibly includes verification steps (build/tests).
Install Mechanism: concernThe install spec is a shell script that pipes curl to tar and extracts an official Go tarball into /usr/local. Although the source domain (golang.org) is legitimate, piping network content directly into tar and writing to /usr/local (requires elevated privileges and can overwrite existing Go installations) raises operational and supply-chain risk. This is a higher-risk install mechanism compared with using a package manager or vetted release installer.
Credentials: okThe skill requests no environment variables or external credentials. That is proportional — both govulncheck and the remediation steps do not inherently require secrets. No unrelated credentials or config paths are requested.
Persistence & Privilege: okalways is false and the skill is user-invocable only; it does not request persistent system-wide configuration beyond installing Go (via the provided script). The install will create binaries in the system, but the skill does not demand elevated persistent privileges or modify other skills' configs.