ClawHub

Golang Security

Security checks across malware telemetry and agentic risk

Overview

This is a Go security guidance skill with some imperfect examples, but its behavior is disclosed and aligned with reviewing or improving Go code security.

Install this if you want an agent to help review and improve Go security. Be aware that it can influence ordinary Go coding tasks and may use broad workspace reads, edits, Go tooling, git commands, web lookup, and sub-agents during audits. Treat its code examples as guidance to review rather than snippets to copy blindly, especially the template, logging, and unsafe-related examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The 'Good' Template Injection example claims to validate input first, but it validates an unrelated variable (`role`) and still passes untrusted `data` directly to `t.Execute`. In a security guidance file, this is dangerous because readers may copy the example and believe it is a safe pattern, leading to misuse of untrusted template data and weakened output-handling practices.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
This is a true issue in the guidance: the example claims to prevent log injection but explicitly preserves newline and tab characters, which can allow attackers to forge multi-line log entries, spoof fields, or disrupt downstream log parsing. Because this is a security skill intended to teach best practices, users may copy the flawed sanitizer directly into production code, amplifying the risk beyond a mere documentation mistake.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This is a real security documentation flaw: the file declares that `unsafe` must not be used in application code, yet later recommends an `unsafe.Pointer`-based helper as a 'Good' solution. In a security guidance skill, contradictory advice can mislead developers into adopting unsafe patterns under the belief they are approved, weakening memory-safety guarantees and normalizing dangerous APIs.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The 'Good' example explicitly imports and uses `unsafe` to compute slice address ranges, directly contradicting the earlier rule forbidding `unsafe` in application code. Because this skill is intended as security best-practice guidance for Go, presenting such code as the recommended safe pattern is especially dangerous: users may copy it into production and bypass Go's safety model based on flawed guidance.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description is very broad and includes generic triggers like writing, reviewing, auditing Go code, or working on any risky code involving I/O, secrets, authentication, or user input. In an agent ecosystem, this can cause the skill to activate for a wide range of ordinary development tasks, increasing the chance that its instructions and tool permissions influence contexts beyond a narrowly scoped security review. The content is not overtly malicious, but the broad activation surface expands where the skill can intervene.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal