go-code-review
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill operates entirely within the scope of its stated purpose. It provides a robust framework for Go code review using local configuration and established development tools.
- [EXTERNAL_DOWNLOADS]: The skill suggests the installation of
staticcheck(honnef.co/go/tools/cmd/staticcheck@latest), which is a widely-used and well-known open-source static analysis tool for the Go programming language. This is documented neutrally as it is a standard dependency for the analysis workflow. - [COMMAND_EXECUTION]: The skill executes local shell scripts (
tools/run-go-tools.sh,tools/scan-rules.sh) that trigger standard Go toolchain commands likego buildandgo vet. These operations are essential for its primary function of identifying compilation errors and code smells. - [PROMPT_INJECTION]: The skill processes untrusted user-provided Go code (via
git diff), which constitutes an indirect prompt injection surface. An attacker could attempt to embed instructions within code comments to manipulate the AI agent's review results. - Ingestion points: Code content is ingested in
SKILL.mdviagit diffand passed to agents as text. - Boundary markers: The skill uses standard markdown code blocks but lacks explicit 'ignore internal instructions' delimiters when presenting code to the agents.
- Capability inventory: The environment allows executing
go buildandgo veton the provided code, and agents have access toReadandGreptools. - Sanitization: No specific sanitization of the Go source code is performed prior to agent analysis, though the use of specialized agents with narrow scopes (e.g., safety, data) acts as a natural constraint.
Audit Metadata