Golang Google Wire

PassAudited by ClawScan on May 2, 2026.

Overview

This is a coherent Go coding helper for Google Wire; it can edit code and run Go/Wire commands, but the artifacts do not show hidden, deceptive, or malicious behavior.

This skill appears safe to use for Go projects using Google Wire. Before installing, note that it may edit your source tree, generate wire_gen.go, run Go/Wire commands, and install the Wire CLI from @latest. Review generated diffs and avoid sharing secrets or private code through external documentation lookups.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

When invoked, the agent may change source files or generated files and run local project commands.

Why it was flagged

The skill can edit project files and run Go, Wire, golangci-lint, and Git commands. This is expected for a Go code-generation skill, but it can still modify the user's repository.

Skill content

allowed-tools: Read Edit Write Glob Grep Bash(go:*) Bash(golangci-lint:*) Bash(git:*) Agent WebFetch ... Bash(wire:*)

Recommendation

Review diffs before committing, and be cautious with any Git commands beyond inspection or normal local workflow.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

A future install could receive a different Wire version than the one previously reviewed or tested.

Why it was flagged

The required Wire CLI is installed from the latest available version rather than a pinned version. This is purpose-aligned but less reproducible.

Skill content

package: github.com/google/wire/cmd/wire@latest

Recommendation

For reproducible builds, pin the Wire tool version, for example to a known release, instead of using @latest.

Info

#ASI07: Insecure Inter-Agent Communication

What this means

Library names, documentation queries, or snippets the agent sends for lookup may leave the local environment.

Why it was flagged

The skill can query external documentation sources through WebFetch and Context7. This is disclosed and aligned with looking up library docs, but it introduces an external-provider boundary.

Skill content

WebFetch mcp__context7__resolve-library-id mcp__context7__query-docs

Recommendation

Avoid including secrets or private proprietary code in external documentation queries.