golang-code-review Security Report — Low Risk | ClawSafe

20 /100

golang-code-review

Golang代码审查技能 - 对Git merge提交的Golang代码进行全面的代码审查

A legitimate Go code review skill with minor documentation inconsistencies but no malicious behavior detected.

Skill Namegolang-code-review

Duration35.4s

Enginepi

✓

Safe to install

The skill is safe to use but lacks the full security scanning capabilities advertised. Consider verifying external tool dependencies.

Findings 3 items

Severity	Finding	Location
Low	Inflated capability claims in documentation Doc Mismatch SKILL.md claims '安全漏洞扫描：检测常见安全问题（SQL注入、XSS、不安全的反序列化等）' but the actual implementation only performs basic format checks and simple error handling detection without actual security scanning `安全漏洞扫描：检测常见安全问题（SQL 注入、XSS、不安全的反序列化等）` → Either implement proper security scanning or update documentation to reflect actual capabilities	`SKILL.md:6`
Low	Referenced tools not implemented Doc Mismatch SKILL.md and config.md reference staticcheck, golint, errcheck, but index.go does not invoke these external tools `使用静态分析工具（如 staticcheck, unused, errcheck）` → Implement actual integration with external tools or remove references from documentation	`SKILL.md:4`
Info	Embedded executable code in documentation Doc Mismatch SKILL.md contains embedded Go code with shebang (#!/usr/bin/env go), which is unconventional but not inherently malicious `#!/usr/bin/env go` → Move implementation code to separate files rather than embedding in documentation	`SKILL.md:22`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	index.go reads Go files via os.ReadFile for analysis
Shell	`NONE`	`NONE`	—	No subprocess or shell execution in code
Network	`NONE`	`NONE`	—	No network calls present in implementation
credential_access	`NONE`	`NONE`	—	No credential harvesting or sensitive file access

2 findings

🔗

Medium External URL 外部 URL

https://golang.org/doc/effective_go.html

SKILL.md:20

🔗

Medium External URL 外部 URL

https://staticcheck.io

SKILL.md:21

3 files · 7.7 KB · 288 lines

Go 1f · 224L Markdown 2f · 64L

├─ 📝 config.md Markdown 41L · 848 B

├─ 📄 index.go Go 224L · 5.8 KB

└─ 📝 SKILL.md Markdown 23L · 1.0 KB

✓ No credential harvesting or sensitive file access detected

✓ No network communication or data exfiltration

✓ No obfuscation techniques (base64, eval, etc.)

✓ No reverse shell or remote code execution

✓ No supply chain risks - no external dependencies used

✓ Filesystem access limited to reading files for analysis (compliant with declared behavior)

✓ No persistence mechanisms or backdoors

✓ No prompt injection vulnerabilities