ClawHub
Back to skill

Security audit

Go Vuln Info Disclosure

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Go audit skill, but it includes some high-impact auth/RCE guidance outside its stated information-disclosure scope.

Install only if you want a broader Go security-audit reference, not a strictly information-disclosure-only skill. Use it only on codebases you are authorized to review, and handle any discovered secrets or exploit-relevant findings privately and through approved disclosure channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The reference file for an information-disclosure-focused skill includes guidance and examples for unrelated vulnerability classes, specifically authentication bypass and RCE. This scope expansion is dangerous because it broadens the offensive capability taught by the skill beyond its declared purpose, making misuse easier and undermining least-functionality expectations for a narrowly scoped security tool.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The file teaches detection and attack-path details for arbitrary file deletion and RCE, which are not required for an information-disclosure skill. Including exploit-adjacent material for more severe vulnerability classes increases the chance the skill will be used for harmful dual-use outcomes rather than the constrained defensive purpose described in the metadata.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The JWT authentication-bypass case is outside the declared information-disclosure scope and introduces identity-forgery/RBAC-bypass guidance into a credential-leak skill. That mismatch makes the content more dangerous in context because users invoking this skill for disclosure auditing would also receive unrelated privilege-escalation patterns and attack steps.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.