Golang Security
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent Go security review skill; it can install and run Go security tools, edit project files, and use sub-agents, but no artifact-backed malicious behavior was found.
Before installing, be aware that this skill is designed to inspect and potentially modify Go repositories, run Go/git/govulncheck commands, and use sub-agents for broad audits. These behaviors are appropriate for its purpose, but you should review changes before committing them and consider pinning govulncheck for reproducible installs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may change project files or run development commands while reviewing or fixing security issues.
The skill is allowed to edit files and run broad Go, git, and vulnerability-checking commands; this is expected for a Go security audit/fix skill, but users should notice the repository-level authority.
allowed-tools: Read Edit Write Glob Grep Bash(go:*) Bash(golangci-lint:*) Bash(git:*) Agent WebFetch Bash(govulncheck:*) WebSearch AskUserQuestion
Use it in a trusted repository, review generated diffs, and ask the agent to confirm before running commands or making edits if you want stricter control.
Installing the skill may fetch a newer govulncheck release than the one originally reviewed.
The install specification uses the latest version of govulncheck rather than a pinned version; govulncheck is directly relevant to the skill, but @latest can change over time.
package: golang.org/x/vuln/cmd/govulncheck@latest
Pin govulncheck to a reviewed version if reproducible installs are important.
During a full audit, multiple agent workers may inspect parts of the codebase to produce findings.
The skill explicitly delegates parts of a codebase audit to multiple sub-agents; this is disclosed and bounded, but it means project context may be shared across agent workers.
Audit mode — full codebase security scan. Launch up to 5 parallel sub-agents (via the Agent tool), each covering an independent vulnerability domain
Run full-audit mode only on codebases you are comfortable having the agent inspect, and avoid including unrelated private files in the workspace.