golang-code-review 安全扫描报告 — 低风险 | ClawSafe

20 /100

golang-code-review

Golang代码审查技能 - 对Git merge提交的Golang代码进行全面的代码审查

A legitimate Go code review skill with minor documentation inconsistencies but no malicious behavior detected.

技能名称golang-code-review

分析耗时35.4s

引擎pi

✓

可以安装

The skill is safe to use but lacks the full security scanning capabilities advertised. Consider verifying external tool dependencies.

安全发现 3 项

严重性	安全发现	位置
低危	Inflated capability claims in documentation 文档欺骗 SKILL.md claims '安全漏洞扫描：检测常见安全问题（SQL注入、XSS、不安全的反序列化等）' but the actual implementation only performs basic format checks and simple error handling detection without actual security scanning `安全漏洞扫描：检测常见安全问题（SQL 注入、XSS、不安全的反序列化等）` → Either implement proper security scanning or update documentation to reflect actual capabilities	`SKILL.md:6`
低危	Referenced tools not implemented 文档欺骗 SKILL.md and config.md reference staticcheck, golint, errcheck, but index.go does not invoke these external tools `使用静态分析工具（如 staticcheck, unused, errcheck）` → Implement actual integration with external tools or remove references from documentation	`SKILL.md:4`
提示	Embedded executable code in documentation 文档欺骗 SKILL.md contains embedded Go code with shebang (#!/usr/bin/env go), which is unconventional but not inherently malicious `#!/usr/bin/env go` → Move implementation code to separate files rather than embedding in documentation	`SKILL.md:22`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	index.go reads Go files via os.ReadFile for analysis
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution in code
网络访问	`NONE`	`NONE`	—	No network calls present in implementation
凭证访问	`NONE`	`NONE`	—	No credential harvesting or sensitive file access

2 项发现

🔗

中危外部 URL 外部 URL

https://golang.org/doc/effective_go.html

SKILL.md:20

🔗

中危外部 URL 外部 URL

https://staticcheck.io

SKILL.md:21

3 文件 · 7.7 KB · 288 行

Go 1f · 224L Markdown 2f · 64L

├─ 📝 config.md Markdown 41L · 848 B

├─ 📄 index.go Go 224L · 5.8 KB

└─ 📝 SKILL.md Markdown 23L · 1.0 KB

✓ No credential harvesting or sensitive file access detected

✓ No network communication or data exfiltration

✓ No obfuscation techniques (base64, eval, etc.)

✓ No reverse shell or remote code execution

✓ No supply chain risks - no external dependencies used

✓ Filesystem access limited to reading files for analysis (compliant with declared behavior)

✓ No persistence mechanisms or backdoors

✓ No prompt injection vulnerabilities