Back to skill

Security audit

Go Linter Configuration

Security checks across malware telemetry and agentic risk

Overview

This Go linting helper is purpose-aligned, but its installer can run unverified remote code and modify system tool locations.

Review before installing in sensitive environments. Prefer installing Go and golangci-lint yourself through a trusted package manager, pinned release, or checksummed artifact instead of allowing the embedded curl-to-sh or /usr/local extraction commands to run automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to pipe a remotely fetched script directly into the shell, which executes unreviewed code from the network with the user's privileges. If the upstream script, hosting account, transport, or referenced branch is ever compromised, this becomes an immediate arbitrary code execution path.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The manifest's install metadata contains shell commands that fetch and execute remote content, including a `curl | sh` pattern, without any warning or integrity verification. Because this is embedded as installation behavior for the skill, it increases the likelihood of automatic or habitual execution and creates a supply-chain execution risk.

External Script Fetching

Low
Category
Supply Chain
Content
{
              "id": "golangci",
              "kind": "script",
              "script": "curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.59.1",
              "bins": ["golangci-lint"],
              "label": "Install golangci-lint",
            },
Confidence
94% confidence
Finding
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh

External Script Fetching

Low
Category
Supply Chain
Content
- name: Install golangci-lint
      run: |
        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.59.1

    - name: Lint
      run: golangci-lint run --config .golangci.yml ./...
Confidence
93% confidence
Finding
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.