Back to skill
Skillv0.1.0
ClawScan security
Go Vuln Auth Bypass · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 8:16 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- An instruction-only auditing checklist for Go authentication/authorization issues; its requirements, instructions, and artifacts are consistent with that purpose and it does not request credentials or install code.
- Guidance
- This skill is an offline checklist and code-search patterns for auditing Go auth/authorization issues and appears internally consistent. Before installing or granting an agent access: (1) ensure the agent is only given access to the repository or files you want audited (the skill's checks operate on local source), (2) review references/cases.md if you want concrete examples, and (3) if you prefer manual control, invoke the skill only when needed (it is not always-enabled). There are no required credentials or remote installs, so the direct technical risk from the skill itself is low.
Review Dimensions
- Purpose & Capability
- okThe name/description describe auditing Go auth/authorization flows and the artifact is a detailed checklist and grep/search patterns for exactly that task. No unrelated binaries, env vars, or external services are requested.
- Instruction Scope
- okSKILL.md contains static guidance and concrete repo-local grep/search/check steps for auditing Go code, plus a references file of real cases. It does not instruct the agent to read unrelated system files, exfiltrate data, or call external endpoints.
- Install Mechanism
- okNo install spec or code files — instruction-only. Nothing will be downloaded or written to disk by an install step.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The guidance operates on repo-local source code, so no external secrets are needed.
- Persistence & Privilege
- okalways is false and there is no install-time persistence. The skill is user-invocable and allows model invocation (platform default) but does not request elevated or permanent privileges.