Skillv0.2.0

ClawScan security

Go Development Stack · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 5:43 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, files, and requirements are coherent with an opinionated Go development setup; nothing requests unrelated credentials or installs hidden components, though there are minor documentation-to-declaration mismatches to be aware of.
Guidance: This is an instruction-only Go development guide and is internally consistent with its stated purpose. Before running any of the provided commands, review them and do not blindly execute them in a production environment: 1) Example migration commands use $DATABASE_URL — ensure it points to a test DB and not production since it may contain credentials. 2) Installation examples include piping archives from GitHub (curl | tar) and go install commands — only run those from trusted sources or pin versions when you need reproducible builds. 3) The skill doesn't declare required env vars even though the examples reference them; set them intentionally and check their values first. If you want higher assurance, ask the author for version-pinned install commands and an explicit list of environment variables the workflow expects.

Review Dimensions

Purpose & Capability: okName/description (Go dev stack: linters, formatter, test runner, migrate, just) match the SKILL.md content and included references. All tools and example commands are appropriate for the stated purpose.
Instruction Scope: noteSKILL.md is instruction-only and stays within expected scope (scaffolding, tool installation, config templates, Just recipes, CI examples). It includes example commands that reference environment variables (e.g., $DATABASE_URL, GOTESTSUM_*), and suggests running installs (go install, curl | tar) — expected for a setup guide but the doc occasionally assumes these env vars exist without declaring them.
Install Mechanism: okThere is no install spec — the skill is instruction-only. Example install commands use go install, brew, curl from GitHub releases, and Docker. Those are normal for tooling docs and are not executed automatically by the platform.
Credentials: noteThe skill does not declare any required environment variables, yet the examples and Justfile reference DATABASE_URL and various GOTESTSUM_* env vars. This is typical for examples, but it's an inconsistency: the SKILL.md expects these env values to be set when running migrations or CI, and DATABASE_URL can contain sensitive credentials.
Persistence & Privilege: okalways:false and no special privileges requested. The skill does not attempt to modify other skills or any global agent settings; it is instruction-only and does not request persistent presence.