Trust Assessment
go-linter-configuration received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 4 critical, 0 high, 4 medium, and 0 low severity. Key findings include Arbitrary command execution, Remote code execution: curl/wget pipe to shell, Unpinned installer script from master branch in manifest.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 9c1b8e80). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/irook661/go-linter-configuration/SKILL.md:17 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/irook661/go-linter-configuration/SKILL.md:146 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/irook661/go-linter-configuration/SKILL.md:17 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/irook661/go-linter-configuration/SKILL.md:146 | |
| MEDIUM | Unpinned installer script from master branch in manifest The `golangci-lint` installation script specified in the skill's manifest is fetched from the `master` branch of the GitHub repository. This means the content of the script can change at any time, potentially introducing malicious code or breaking changes without warning. This constitutes a supply chain risk. Pin the installation script to a specific commit hash or a tagged release version instead of the `master` branch. For example, `https://raw.githubusercontent.com/golangci/golangci-lint/<commit_hash>/install.sh`. | LLM | Manifest | |
| MEDIUM | Unpinned `go install` dependency in documentation The `go install` command recommended in the skill's documentation uses `@latest` to fetch `golangci-lint`. This means the skill will always install the most recent version, which could introduce breaking changes or even malicious code if a compromised version is published. This constitutes a supply chain risk. Update the documentation to recommend pinning the `go install` command to a specific version, e.g., `go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.59.1`. | LLM | SKILL.md:10 | |
| MEDIUM | Unpinned installer script from master branch in documentation The `golangci-lint` installation script recommended in the skill's documentation is fetched from the `master` branch of the GitHub repository. This means the content of the script can change at any time, potentially introducing malicious code or breaking changes without warning. This constitutes a supply chain risk. Update the documentation to recommend pinning the installation script to a specific commit hash or a tagged release version instead of the `master` branch. For example, `https://raw.githubusercontent.com/golangci/golangci-lint/<commit_hash>/install.sh`. | LLM | SKILL.md:16 | |
| MEDIUM | Unpinned installer script from master branch in CI/CD example The `golangci-lint` installation script used in the provided CI/CD workflow example is fetched from the `master` branch of the GitHub repository. This means the content of the script can change at any time, potentially introducing malicious code or breaking changes without warning. This constitutes a supply chain risk for automated environments. Update the CI/CD workflow example to pin the installation script to a specific commit hash or a tagged release version instead of the `master` branch. For example, `https://raw.githubusercontent.com/golangci/golangci-lint/<commit_hash>/install.sh`. | LLM | SKILL.md:62 |
Scan History
Embed Code
[](https://skillshield.io/report/0326bd109652bc05)
Powered by SkillShield