ClawHub
Back to skill
v1.0.0

Golang Spf13 Cobra

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 11:58 AM.

Analysis

This is an instruction-only Go/Cobra coding guide with purpose-aligned tools and examples, with only normal caution around running Go/Git commands and installing latest-version packages.

GuidanceThis skill appears safe for normal Go/Cobra development use. Before installing or invoking it, be aware that it can guide edits and Go/Git commands in your project; review changes and pin dependency versions when you need reproducible builds.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
allowed-tools: Read Edit Write Glob Grep Bash(go:*) Bash(golangci-lint:*) Bash(git:*) Agent WebFetch mcp__context7__resolve-library-id mcp__context7__query-docs

The skill grants code editing plus local Go/Git command capabilities. This is expected for a Go CLI engineering skill, but these tools can change source files, dependencies, tests, or repository state.

User impactThe agent may be able to edit your Go project and run Go or Git commands while helping with Cobra work.
RecommendationReview proposed file edits and be especially careful with commands that change dependencies, rewrite Git history, push changes, or modify many files.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
go get github.com/spf13/cobra@latest

The setup guidance uses an @latest module version. This is common and purpose-aligned for adding Cobra, but it resolves dynamically and is less reproducible than a pinned version.

User impactInstalling or updating with @latest may pull a newer dependency version than expected.
RecommendationFor production projects, prefer pinning reviewed module/tool versions in go.mod or install commands.