golang-security
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill provides detailed and accurate security reference material, advocating for industry-standard practices such as using Argon2id for password hashing, AES-GCM for authenticated encryption, and the os.Root package for preventing path traversal.
- [EXTERNAL_DOWNLOADS]: The skill automates the installation of official security tooling, fetching
govulncheckfromgolang.organdgosecfromgithub.com/securego. These are recognized, trusted sources within the Go ecosystem. - [COMMAND_EXECUTION]: Command execution is restricted to a specific allowlist of binary patterns (
go:*,govulncheck:*,git:*,golangci-lint:*). This implementation of the least privilege principle significantly hardens the execution environment against arbitrary command injection. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface due to its primary function of auditing untrusted external codebases.
- Ingestion points: External project files and code snippets read via the
Read,Grep, andGlobtools during security reviews and audits. - Boundary markers: None identified; the skill does not use specific delimiters or instructions to the agent to isolate content from audited files.
- Capability inventory: The skill can perform restricted
Bashoperations, launch up to five parallel sub-agents via theAgenttool, and modify files using theWriteorEdittools. - Sanitization: None identified; analyzed data is processed directly as part of the audit workflow.
- [CREDENTIALS_UNSAFE]: While the skill contains examples of hardcoded credentials (e.g., AWS keys, database connection strings), these are explicitly presented as 'Bad' code examples for the purpose of teaching developers what to flag during security audits.
Audit Metadata