Back to skill

Security audit

Golang Project Layout

Security checks across malware telemetry and agentic risk

Overview

This Go dependency-injection skill is purpose-aligned and disclosed; it can edit Go projects and run Go-related commands but shows no hidden, destructive, or exfiltrating behavior.

Install this only for Go repositories where you want help adopting or maintaining uber-go/dig. Expect the agent to read and edit project files and possibly run `go get`, `go test`, `golangci-lint`, and git inspection commands; review generated diffs before committing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest description is broad enough to trigger on many ordinary Go-related requests, including general code organization or restructuring discussions. Because the skill is user-invocable and grants Bash access for Go, golangci-lint, and git commands, overbroad routing increases the chance the agent loads and follows this skill in contexts where it was not specifically intended, potentially causing unnecessary file modifications or command execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.