Back to skill
Skillv1.0.0
ClawScan security
Go Install · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 1:00 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requested artifacts, and behavior are coherent with its stated purpose (installing Go in a user home directory); no unrelated credentials or surprising privileges are requested.
- Guidance
- This skill is coherent for installing Go, but review and run the commands yourself rather than blindly pasting them. Specific recommendations: 1) Verify the downloaded tarball (compare SHA256 checksums from https://go.dev/dl/) before extracting to avoid tampered downloads. 2) If you have a prior Go installation, check and handle it (the instructions install to ~/go-sdk, not /usr/local/go). 3) Create GOPATH (mkdir -p ~/go) if you want that directory present. 4) Append exports to the correct shell rc for your shell (bash, zsh, etc.), then source the file or restart your shell. 5) Prefer the platform package manager or your organization’s approved distribution method if you need system-wide, managed installs. Only run the exact URLs from the official go.dev site.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the SKILL.md only downloads the Go tarball from the official go.dev site, extracts it to a user directory, and configures environment variables and common go commands — all expected for a Go installer.
- Instruction Scope
- noteInstructions remain within the installer scope (download, extract, move to ~/go-sdk, export PATH/GOROOT/GOPATH, append to ~/.bashrc). They do modify the user's shell config (~/.bashrc) which is expected for installation but should be noted. The instructions do not perform any system-wide actions or access secrets. One omission: the script does not verify the archive integrity/signature (no SHA256/GPG verification) before extracting, which is a security best-practice gap.
- Install Mechanism
- noteThis is an instruction-only skill (no install spec). The download URLs point to the official go.dev domain (good). However, the instructions rely on curl and tar without recommending checksum or signature verification of the downloaded archive.
- Credentials
- okThe skill requests no credentials or environment variables. It instructs the user to set PATH, GOPATH, and GOROOT which are normal and necessary for Go development and proportionate to the stated purpose.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent platform privileges. It writes to the invoking user's shell rc (~/.bashrc), which is a standard local installation-side effect and within scope.