Golang Troubleshooting
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is mostly a normal Go debugging skill, but it deserves review because some troubleshooting steps can expose API keys, database settings, or full production HTTP traffic without enough redaction guidance.
Use this skill for Go debugging only with careful approval of sensitive steps. Do not let it print API keys, database URLs, tokens, cookies, or full production traffic unless values are redacted and you understand where the output will be stored. Consider pinning the Delve version for reproducible installs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Local or project secrets could be exposed in the conversation, tool output, or logs during debugging.
These commands can display database URLs, API keys, or other credentials to the agent/tool transcript. The skill does not pair them with redaction, approval, or a bounded credential contract.
# Verify environment variables and config env | grep DATABASE env | grep API_KEY
Approve credential-related checks explicitly, verify only whether variables are set, and redact values for API keys, tokens, passwords, and database URLs.
Sensitive customer data, credentials, or tokens could end up in application logs or observability systems.
The production debugging guidance shows logging complete HTTP requests and responses, including bodies, without warning to redact Authorization headers, cookies, tokens, or personal data.
dump, _ := httputil.DumpRequestOut(req, true)
log.Printf("request:\n%s", dump)
dump, _ = httputil.DumpResponse(resp, true)
log.Printf("response:\n%s", dump)Use full request/response dumps only in tightly controlled debugging sessions, redact sensitive headers and bodies, and remove the logging after diagnosis.
Profile files may contain sensitive runtime, stack, or memory information and may remain on disk after debugging.
The skill explicitly handles pprof dumps and warns they contain sensitive runtime information. This is purpose-aligned, but the resulting files can persist and expose stack or memory details.
Pprof endpoints MUST be protected with basic auth — NEVER expose them publicly. They leak sensitive runtime information ... curl http://localhost:6060/debug/pprof/heap > heap.prof
Capture profiles only from authorized systems, protect pprof endpoints, store profile files securely, and delete them when no longer needed.
A later install may use a Delve version different from the one implicitly reviewed today.
Delve is an expected Go debugging dependency, but installing @latest is unpinned and may fetch a different version in the future.
package: github.com/go-delve/delve/cmd/dlv@latest
Pin Delve to a known version if reproducibility or supply-chain assurance is important.
More agent contexts may inspect the codebase during broad audits.
The skill can delegate broad codebase bug hunts to multiple agents. It is bounded and user-triggered, but the artifact does not define separate data boundaries for sub-agent contexts.
Launch up to 5 parallel sub-agents, one per bug category ... Use this mode when the user asks for a broad sweep
Use broad-audit mode only on repositories you are comfortable sharing with the agent environment, and avoid including secrets in code or context.