go-dev

Security checks across malware telemetry and agentic risk

Overview

This is a Go development guidance skill with visible setup commands, not hidden or unrelated behavior.

Install only if you want an opinionated Go development workflow. Review installation commands before running them, prefer pinned and verified tool versions, be cautious with auto-fix and Git hook setup, and verify DATABASE_URL points to a safe non-production database before running migration rollback or drop commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation recommends executing a remote installer via `curl ... | sh`, which runs network-fetched code immediately without inspection, checksum verification, or signature validation. Even in a developer setup guide, this creates a supply-chain risk: if the host, CDN, DNS, TLS termination, or script publishing pipeline is compromised, users may execute arbitrary code on their machines.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal