Golang Performance
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Go performance guidance skill with purpose-aligned benchmarking and profiling tools, but users should review any file edits, shell commands, and tool installation choices.
This skill looks safe to use for Go performance work. Before installing, be comfortable with the agent reading and editing the target repository, running Go benchmarking/profiling commands, and installing benchstat. Review generated diffs and commands, pin benchstat if needed, and apply any production observability/profiling advice with normal access-control and data-retention safeguards.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may edit code and run benchmarking/profiling or related commands in the project.
This grants file mutation plus local command, profiling, version-control, and network-fetch capabilities. Those are coherent for performance optimization, but they can affect the repository or local environment if used too broadly.
allowed-tools: Read Edit Write Glob Grep Bash(go:*) Bash(golangci-lint:*) Bash(git:*) Agent WebFetch Bash(benchstat:*) ... Bash(curl:*) Bash(fgprof:*) Bash(perf:*) WebSearch AskUserQuestion
Keep use scoped to the intended Go project, review shell commands before execution when possible, and inspect all code diffs before accepting changes.
The installed benchmark comparison tool could change between installs.
The install step resolves the latest version of an external Go tool. Benchstat is directly relevant to the skill, but @latest means installs may vary over time.
package: golang.org/x/perf/cmd/benchstat@latest
Pin benchstat to a reviewed version if reproducible or locked-down environments matter.
Sensitive source code or architecture details included in the task may be processed by sub-agents.
The skill may delegate code review work to sub-agents. This is disclosed and purpose-aligned, but it means project context may be shared across agent instances.
Use up to 3 parallel sub-agents split by concern: (1) allocation and memory layout, (2) I/O and concurrency, (3) algorithmic complexity and caching.
Use the skill only in repositories where agent-based review is acceptable, and avoid including secrets or unrelated sensitive files in the working context.
If the guidance is applied, profiling or metrics data may be stored in monitoring systems and should be protected.
The observability guidance includes production profiling and third-party profiler options. This is normal for performance work, but production profiles and metrics can contain sensitive operational information.
Continuous profiling collects low-overhead samples in production and stores them for historical comparison.
Apply observability changes with normal production review, authentication, retention, and access-control practices.