Security Audit

go-security-vulnerability

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

go-security-vulnerability received a trust score of 92/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.

SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 1 medium, and 1 low severity. Key findings include Go installation requires elevated privileges, Unpinned dependency in govulncheck installation instruction, Unpinned dependency in 'go get' example instruction.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

91%

Behavioral Risk Signals

Filesystem Write

1 finding

Excessive Permissions

1 finding

Security Findings3

Severity	Finding	Layer	Location
MEDIUM	Unpinned dependency in govulncheck installation instruction The skill instructs users to install `govulncheck` using `@latest`. This means the exact version of the tool is not pinned, introducing a supply chain risk. Future versions of `govulncheck` could potentially introduce vulnerabilities, breaking changes, or be compromised without explicit review by the user. Pin the `govulncheck` version to a specific, known-good release (e.g., `govulncheck@v0.0.0-20230906100808-f772719705e4` or a stable release tag) to ensure deterministic builds and reduce supply chain risk.	LLM	SKILL.md:10
LOW	Unpinned dependency in 'go get' example instruction The skill provides an example for updating dependencies using `go get -u vulnerable/package@latest`. While an example, it promotes the use of `@latest`, which can lead to unpinned dependencies in user projects. This practice introduces supply chain risks as the exact version of the dependency is not fixed and could change unexpectedly. Modify the example to encourage or demonstrate pinning dependency versions explicitly (e.g., `go get -u vulnerable/package@v1.2.3`) or add a note advising users on the risks of using `@latest` for production dependencies.	LLM	SKILL.md:29
INFO	Go installation requires elevated privileges The skill's installation script, defined in the manifest, downloads and extracts Go to `/usr/local`. This directory typically requires root or sudo privileges for write access. While common for system-wide Go installations, this grants the installation script elevated permissions during the skill's setup. Consider installing Go to a user-specific directory if possible, or clearly document the elevated privilege requirement and provide alternatives for users who prefer not to grant such access to the skill's installer.	LLM	SKILL.md

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/2a9d676a9edbc32c.svg)](https://skillshield.io/report/2a9d676a9edbc32c)