ClawHub

Golang Observability

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a Go observability skill, but some examples could lead users to add privacy-sensitive telemetry or unsafe data export/deletion endpoints without enough safeguards.

Install only if you specifically want Go observability and analytics guidance, and review any copied examples carefully. Require explicit user consent and data-minimization review for RUM/CDP tracking, avoid raw IDs or sensitive fields in logs/traces/metrics, configure telemetry export as data egress, and do not use the privacy export/deletion examples without strong authentication and authorization.

SkillSpector (6)

By NVIDIA

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The example records `r.URL.Path` directly as a Prometheus label, which creates unbounded label cardinality when paths contain IDs or other dynamic segments. In production observability systems this can rapidly explode time-series count, causing excessive memory use, degraded query performance, and potential instability or outage of the Prometheus/monitoring stack. Because this is a reference skill for production instrumentation, readers are likely to copy the example verbatim, making the contradictory guidance especially dangerous.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description is very broad and covers many common Go development tasks such as adding logging, metrics, tracing, alerting, dashboards, and compliance-related tracking. In an agent-routing context, this can cause the skill to trigger for routine coding requests and grant it expansive tool access, increasing the chance of unnecessary code changes, external lookups, or privacy-impacting instrumentation being applied where it was not explicitly requested.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly supports server-side RUM event tracking, CDP integration, and GDPR/CCPA-related analytics work, but the top-level description does not prominently warn that these actions may introduce user monitoring, personal data processing, consent requirements, and retention obligations. That omission is risky because an agent may propose or implement tracking by default before surfacing privacy review, consent, or data-minimization requirements to the user.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tracing examples encourage attaching business and user identifiers to spans and structured errors, but do not warn that span attributes and error metadata may contain personal, financial, tenant, or other regulated data. In an observability skill, this omission is meaningful because developers may copy these examples directly into production systems and unintentionally exfiltrate sensitive data into logs, traces, and third-party backends.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The OTLP exporter setup sends telemetry off-process to a collector or backend, but the guidance does not warn that traces may leave the application boundary and traverse external infrastructure. In practice, teams may enable tracing under the assumption it is purely local instrumentation, causing unintended disclosure of internal metadata or sensitive attributes to vendors, collectors, or misconfigured remote endpoints.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
GDPR and CCPA require you to let users access, export, and delete their data. Implement API endpoints that propagate these requests to all systems that hold user data — your database, your analytics platform, your CDP.

```go
// DELETE /api/users/:id/data — GDPR Article 17 "Right to Erasure"
func (h *PrivacyHandler) HandleDataDeletion(w http.ResponseWriter, r *http.Request) {
    ctx := r.Context()
    userID := chi.URLParam(r, "id")
Confidence
85% confidence
Finding
DELETE /api/users/:id/data

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal