ClawHub

Golang How To

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Go-skill orchestrator with an optional project configuration mode, but it should be used carefully because it can make future Go-related agent sessions load extra skills automatically.

Install this if you want Go tasks to automatically pull in related Go guidance. Before using configure mode, review which files it will edit and which skills it will make always load, because that changes future agent behavior for the project and may add prompt overhead.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill advertises itself as 'always active on any Golang coding, review, debug, or setup task,' which is an unusually broad trigger condition for an orchestration skill. That can cause the agent to inject extra instructions and tool-usage behavior into a very wide range of requests, increasing the chance of unintended skill activation, instruction interference, or overreach into tasks where the user did not ask for orchestration.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The instruction 'For every Go task, identify all relevant skills and load them together' lacks practical scope limits and encourages eager fan-out at task start. In an agent environment, this can amplify prompt influence, create instruction collisions across multiple loaded skills, and push the agent toward unnecessary complexity or broader tool usage before the user's intent is fully clarified.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The configure mode explicitly tells the agent to add a 'Required Go skills' block to project-level CLAUDE.md or AGENTS.md so skills 'always load,' creating persistent behavioral modification of the repository. This is more dangerous than transient orchestration because it can silently change future agent behavior across unrelated sessions and tasks, effectively establishing a durable auto-trigger mechanism without stated consent, review, or scoping safeguards.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal