gowok
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructs users to install an external package 'github.com/gowok/gowok' via 'go get'. Since this repository and its author are not listed among Trusted GitHub Organizations, it represents an unverifiable dependency that could execute unvetted code during development or runtime.
- CREDENTIALS_UNSAFE (MEDIUM): The configuration documentation ('references/configuration.md') recommends storing sensitive data, including encryption secrets and database connection strings (DSNs), in a plain-text 'config.yaml' file. Additionally, the skill provides code examples demonstrating how to print the global 'gowok.Config' object to standard output, which would result in the leakage of these secrets in logs or terminal sessions.
- PROMPT_INJECTION (LOW): The skill creates an attack surface for indirect prompt injection by defining web route handlers ('references/web.md') that ingest untrusted HTTP request data.\n
- Ingestion points: Request parameters ('r *http.Request') in 'web.HandleFunc' and helper methods.\n
- Boundary markers: None present in code examples to distinguish between instructions and data.\n
- Capability inventory: SQL operations ('sql.md') and HTTP response construction ('web.md').\n
- Sanitization: No input validation or sanitization logic is provided in the documentation.
- EXTERNAL_DOWNLOADS (LOW): The 'sql.md' file references several external SQL drivers (e.g., 'lib/pq'). Although these are standard in the Go ecosystem, they are external dependencies. Note: An automated scanner flagged 'sql.md' for a blacklisted URL, though manual inspection of the visible text did not reveal an obviously malicious absolute domain.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata