ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Golang Error Handling

v1.1.1

Idiomatic Golang error handling — creation, wrapping with %w, errors.Is/As, errors.Join, custom error types, sentinel errors, panic/recover, the single handl...

0· 85·0 current·0 all-time
bySamuel Berthe@samber
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the declared requirements: it's an instruction-only Go error-handling skill that only requires the 'go' binary. Recommending slog and samber/oops is consistent with a production-oriented error-handling skill. However, the documentation contains a contradictory example (an example shows interpolating an ID into an error string while other sections insist on low-cardinality messages and avoiding ID interpolation). This is an internal coherence issue in the docs (not necessarily malicious) and should be clarified.
Instruction Scope
SKILL.md instructs the agent to run audits across codebases and explicitly recommends launching up to 5 parallel sub-agents (Agent tool) to grep for violations. This is within the skill's stated purpose (code audit), but it grants the agent broad discretion to read project files, run grep/other tooling, and spawn background sub-agents. If you don't want automated codebase scanning or background agents, disable autonomous invocation or review the agent actions first.
Install Mechanism
Instruction-only skill with no install spec and no code files. Lowest install risk — nothing is written to disk by an installer. It does recommend third-party Go libraries (samber/oops) for users to adopt in their code, which is expected for this kind of guidance.
Credentials
No environment variables, credentials, or config paths are requested. The single required binary is 'go', which is appropriate for a Go-focused skill.
Persistence & Privilege
always:false (normal). The skill permits autonomous invocation (disable-model-invocation:false), which is the platform default. That combined with the instruction to spawn sub-agents increases the potential blast radius if the agent is allowed to run autonomously, but by itself the skill does not demand persistent or elevated system privileges.
What to consider before installing
This skill appears to be what it claims (a Go error-handling authoring/audit guide) but with two things to watch for: 1) it explicitly instructs spawning parallel sub-agents to grep and audit your repository — that means the agent will read your project files and may run tooling (grep, go commands). Only enable autonomous invocation if you trust those actions. 2) the documentation contains a small internal inconsistency (an example that interpolates an ID into an error string while other guidance forbids interpolating IDs). Before installing or enabling for autonomous use, review SKILL.md and the references for any parts you don't want automated (search/modify), and consider running the skill in an interactive/manual mode first. If you need higher confidence, ask the skill author for clarification about the inconsistent example and for explicit limits on what the sub-agents will read or modify.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e5y0b5kqctktn93pmsj0nh983njp1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⚠️ Clawdis
Binsgo

Comments