Back to skill

Security audit

Golang Uber Dig

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Go coding skill for using uber-go/dig, with normal project-editing and Go tooling access and no evidence of hidden persistence or credential handling.

Install this when you want an agent to help wire uber-go/dig in a Go repository. Review generated code, go.mod/go.sum changes from `go get`, and any Git commands before committing or pushing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This markdown manifest grants `Edit`, `Write`, and `Bash(...)` tool access, which can modify files and execute commands, but the skill description does not include a warning about impacts to user data or system integrity. Under SQP-2 for markdown files, skills should disclose behaviors that could affect the user's files or environment.

Session Persistence

Medium
Category
Rogue Agent
Content
"id": 11,
    "name": "fx-vs-dig-when-lifecycle",
    "description": "Tests recommending fx (instead of raw dig) when the user needs lifecycle/signal handling",
    "prompt": "I'm starting a new Go service with uber-go/dig. The service needs to gracefully shut down on SIGTERM, run startup migrations, and start a background worker. Should I implement signal handling and start/stop sequencing on top of dig myself?",
    "trap": "Without the skill, the model writes custom signal handling code on top of raw dig — missing that uber-go/fx is built specifically for this and provides fx.Lifecycle, fx.Hook, and signal-aware Run().",
    "assertions": [
      {"id": "11.1", "text": "Recommends migrating to or considering uber-go/fx for the lifecycle requirements"},
Confidence
70% confidence
Finding
start a background worker

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.