ClawHub

Go Security Vulnerability

Identify, assess, and fix security vulnerabilities in Go modules using govulncheck. Handle common vulnerabilities like JWT issues and ensure application stability during fixes.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.6k · 0 current installs · 0 all-time installs
by@irook661
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (Go vulnerability scanning & fixes) align with required binaries (go) and the SKILL.md instructions (install and run govulncheck, update go.mod, run go build/test). Requested capabilities are coherent with the stated purpose.
Instruction Scope
Instructions are focused on scanning (govulncheck), determining impacted packages, and remediation (go get -u, go mod edit -replace, go mod tidy). They explicitly modify project files (go.mod) and pull code from public module sources — this is expected, but the skill's guidance to update to latest versions can break builds if not tested; the SKILL.md sensibly includes verification steps (build/tests).
!
Install Mechanism
The install spec is a shell script that pipes curl to tar and extracts an official Go tarball into /usr/local. Although the source domain (golang.org) is legitimate, piping network content directly into tar and writing to /usr/local (requires elevated privileges and can overwrite existing Go installations) raises operational and supply-chain risk. This is a higher-risk install mechanism compared with using a package manager or vetted release installer.
Credentials
The skill requests no environment variables or external credentials. That is proportional — both govulncheck and the remediation steps do not inherently require secrets. No unrelated credentials or config paths are requested.
Persistence & Privilege
always is false and the skill is user-invocable only; it does not request persistent system-wide configuration beyond installing Go (via the provided script). The install will create binaries in the system, but the skill does not demand elevated persistent privileges or modify other skills' configs.
Assessment
This skill is coherent with its purpose, but review and control any install steps before running. Specifically: 1) Do not run the curl | tar install blindly — prefer installing Go via your OS package manager, an official installer you verify, or run the script in a controlled environment; the script writes to /usr/local and may require root and can overwrite an existing Go install. 2) When applying fixes (go get -u, go mod edit -replace), work on a branch, run go build/tests and CI, and review diff/commit history — updating dependencies can break behavior. 3) Because the skill is instruction-only, there's no code to audit beyond SKILL.md; if you plan to let an agent execute these steps autonomously, ensure it runs in a sandboxed or CI environment and that you review any network downloads. 4) If you prefer lower risk, pre-install a vetted Go toolchain yourself and only allow the skill to run govulncheck and suggest remediation commands for manual approval.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk975p189828v5dek73rhezw6c580cp77

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔒 Clawdis
Binsgo

SKILL.md

Go Security Vulnerability Skill

Use Go tooling to identify, assess, and fix security vulnerabilities in Go modules. This skill helps detect and remediate vulnerabilities while maintaining application functionality.

Vulnerability Detection

Scan for vulnerabilities in your Go project:

go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...

Check specific modules for known vulnerabilities:

govulncheck -show verbose ./...

Assessment Process

  1. Identify Affected Packages: Determine which dependencies contain vulnerabilities
  2. Check Severity: Review the CVE details and potential impact
  3. Verify Usage: Confirm if the vulnerable functions are actually used in your code
  4. Plan Remediation: Choose the appropriate fix strategy

Common Fix Strategies

Direct Dependency Update

Update vulnerable packages to secure versions:

go get -u vulnerable/package@latest
go mod tidy

Transitive Dependency Handling

For vulnerabilities in transitive dependencies:

go mod why vulnerable/package  # Understand why it's included
go mod edit -replace vulnerable/package=newer-version  # Replace if needed
go mod tidy

Removal Strategy

If a dependency is unused or can be replaced:

  1. Remove direct imports of the vulnerable code
  2. Run go mod tidy to clean up unused dependencies
  3. Verify application functionality remains intact

Verification Steps

After applying fixes:

# Verify no vulnerabilities remain
govulncheck ./...

# Ensure application still builds
go build ./...

# Run tests to verify functionality
go test ./...

Common Vulnerabilities

JWT Libraries

  • Issue: github.com/golang-jwt/jwt GO-2025-3553 (excessive memory allocation)
  • Fix: Update to newer version or switch to golang.org/x/oauth2 alternatives

Standard Library Updates

  • Keep Go version updated for security patches
  • Run go vuln to check for stdlib vulnerabilities

Best Practices

  • Regularly scan dependencies with govulncheck
  • Keep dependencies updated with go get -u
  • Use go mod tidy to remove unused dependencies
  • Test thoroughly after vulnerability fixes
  • Monitor for new vulnerabilities with automated tools

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…