Golang Uber Fx

PassAudited by ClawScan on May 1, 2026.

Overview

This is an instruction-only Go framework helper whose disclosed file-editing, Go/git commands, and documentation lookups are aligned with helping update a Go project.

This skill appears safe to install for Go projects using uber-go/fx. Before using it, be aware that it can edit project files, run Go/git commands, add the Fx dependency if asked, and optionally consult external documentation services. Review file diffs, dependency changes, and avoid sending secrets or proprietary code to external lookups.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If invoked on a project, the agent could edit files and run Go or git commands that affect the repository.

Why it was flagged

The skill grants code editing and broad Go/lint/git command access; that fits a Go coding helper, but those tools can change repository files or run project commands.

Skill content

allowed-tools: Read Edit Write Glob Grep Bash(go:*) Bash(golangci-lint:*) Bash(git:*) Agent WebFetch mcp__context7__resolve-library-id mcp__context7__query-docs

Recommendation

Review proposed diffs and command output, and do not approve destructive git or build commands unless they are explicitly needed.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Running the command may modify go.mod/go.sum and add or update a third-party dependency.

Why it was flagged

The documented setup step pulls an external Go module; this is expected for using Fx, but the example does not pin a version.

Skill content

go get go.uber.org/fx

Recommendation

Run dependency changes intentionally, review go.mod/go.sum, and pin or approve versions according to your project's policy.

Info

#ASI03: Identity and Privilege Abuse

What this means

If you ask it to implement this pattern, secrets could become available to more constructors in your application graph.

Why it was flagged

The recipes show how generated application code may load and inject an API key; this is illustrative and no skill credential is required, but it involves sensitive values in app wiring.

Skill content

## fx.Supply for config and secrets ... secret := os.Getenv("API_KEY") ... fx.Supply(fx.Annotate(secret, fx.ResultTags(`name:"apikey"`)))

Recommendation

Scope secret injection to only components that need it, and avoid logging, committing, or broadly propagating secret values.

Info

#ASI07: Insecure Inter-Agent Communication

What this means

Library names, error messages, or snippets included in documentation queries could be sent to external documentation providers if those tools are used.

Why it was flagged

The skill can consult external web/MCP documentation services; this is purpose-aligned for library documentation lookup, but queries may leave the local agent session.

Skill content

allowed-tools: ... WebFetch mcp__context7__resolve-library-id mcp__context7__query-docs

Recommendation

Avoid including secrets or proprietary code in external documentation lookup queries; use local or official documentation for sensitive projects.