The Agent Skills Directory

[EXTERNAL_DOWNLOADS] (HIGH): The skill instructs the agent to perform 'go install' for several third-party binaries from untrusted GitHub users and organizations (pressly, kisielk, golangci, mgechev, honnef.co), which downloads code from non-whitelisted sources to the local environment.
[REMOTE_CODE_EXECUTION] (HIGH): Several recommended rules involve downloading and executing unverified binaries (e.g., goose, revive, staticcheck) on the host system. Without source verification or whitelisting, these represent potential supply chain attack vectors.
[COMMAND_EXECUTION] (HIGH): This skill has a high vulnerability surface for Indirect Prompt Injection. It ingests untrusted data (project source code during reviews) and has the capability to execute commands like 'go test', 'go build', and various linters. * Ingestion points: Project source files being reviewed or refactored. * Boundary markers: Absent; there are no instructions to the agent to treat code comments or markdown in source files as untrusted data. * Capability inventory: Execution of 'go test', 'go build', 'golangci-lint', and other toolchain commands via shell. * Sanitization: None identified; the skill does not provide instructions for sanitizing or escaping code content before processing.
[PROMPT_INJECTION] (LOW): No direct malicious prompt injection patterns were found within the skill's own rules, but its architecture facilitates indirect injection when analyzing third-party code.

golang-base-practices