← 返回 Skills 市场
28
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install go-security-audit
功能描述
Perform a security audit of a Go codebase. Targets SSH servers, BBS systems, API services, and CLI tools. Finds race conditions, goroutine leaks, missing err...
使用说明 (SKILL.md)
Go Security Audit
Workflow
Phase 1: Reconnaissance
- Map the codebase:
go.modfor dependencies,cmd/for entry points,internal/for core logic - Identify concurrency primitives:
sync.Mutex,sync.RWMutex, channels, goroutines - Identify external inputs: HTTP handlers, SSH sessions, CLI args, env vars, DB queries
- Note subprocess execution:
exec.Command,os.StartProcess
Phase 2: Race Condition Analysis
Check every shared mutable state:
TOCTOU patterns — check/act gaps:
// BAD: unlock between check and use
r.mu.Lock()
entry, ok := r.m[id]
r.mu.Unlock() // ← gap here
if !ok { return }
entry.Close() // ← entry could be gone
// GOOD: defer unlock or keep locked through the operation
r.mu.Lock()
defer r.mu.Unlock()
entry, ok := r.m[id]
if !ok { return }
delete(r.m, id)
entry.Close()
Map concurrent access:
- Any
mapwritten in one goroutine and read in another without mutex → data race - Use
sync.Mapor protect withsync.RWMutex
Channel patterns:
- Unbuffered channels sent to from goroutines that may outlive the receiver → goroutine leak
close()called on a channel that may already be closed → panic
Phase 3: Error Handling Audit
Find silent failures:
// Flag patterns:
result, _ = someFunc() // error discarded
res.LastInsertId() // return value ignored
time.Parse(layout, val) // two-return ignored with _
Every _ on the error position should be justified or flagged.
SQL patterns:
// Check LastInsertId separately:
id, err := res.LastInsertId()
if err != nil {
return 0, fmt.Errorf("get insert id: %w", err)
}
Phase 4: Command Injection
Check every exec.Command / exec.CommandContext call:
// Risky: user-controlled input split with strings.Fields
parts := strings.Fields(os.Getenv("USER_CMD"))
cmd := exec.CommandContext(ctx, parts[0], parts[1:]...)
// Safe: validate no shell metacharacters, or use explicit args
if strings.ContainsAny(cmdline, "|;&$`(){}") {
return fmt.Errorf("invalid command")
}
Phase 5: Auth and Session Checks
- Are admin routes protected? Check every handler for auth middleware
- Session IDs: are they random (crypto/rand) or sequential/guessable?
- Is
context.WithTimeoutused for all external calls? - Are sessions cleaned up on disconnect (no memory leak)?
Phase 6: Resource Leak Audit
// File descriptors — check every os.Open has defer Close()
f, err := os.Open(path)
// missing defer f.Close() → leak
// Goroutine leaks — goroutines started without a stop mechanism
go func() {
for { select { case \x3C-ch: ... } } // ← what closes ch?
}()
// DB rows — rows.Close() deferred after rows.Next() loop
rows, _ := db.Query(...)
defer rows.Close() // must be present
Output Format
## Finding [N]: [Title] — [Critical/High/Medium/Low]
**File:** path/file.go:LINE
**Impact:** [what can go wrong]
**Root cause:** [exact code snippet]
**Fix:**
\`\`\`go
// corrected code
\`\`\`
Prioritize by: Critical (data loss/auth bypass) → High (crash/leak) → Medium (silent failure) → Low (hardening)
安全使用建议
Installers should expect this skill to read and reason about Go repository code when explicitly used for an audit. Review any suggested patches before applying them, but the artifact itself does not add executable behavior or special access.
能力标签
能力评估
Purpose & Capability
The stated purpose is to guide audits of Go codebases for races, leaks, command injection, auth/session issues, and error handling, and the artifact content stays within that scope.
Instruction Scope
Instructions are user-triggered audit workflow guidance and output formatting; they ask the agent to inspect relevant Go project files and produce findings or fixes, with no prompt overrides or unrelated actions.
Install Mechanism
The package contains only a non-executable SKILL.md file; no install scripts, binaries, dependencies, or generated runtime hooks are present.
Credentials
Reviewing Go source files is proportionate to a security-audit skill, and there is no instruction to access unrelated local data or external services.
Persistence & Privilege
No persistence, background execution, privilege escalation, credential/session use, network exfiltration, or automatic mutation authority is present.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install go-security-audit - 安装完成后,直接呼叫该 Skill 的名称或使用
/go-security-audit触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of go-security-audit (v1.0.0).
- Audits Go codebases for race conditions, goroutine leaks, missing error handling, command injection, and authentication bypasses.
- Analyzes SSH servers, BBS systems, API services, and CLI tools.
- Produces prioritized finding lists with file:line citations and suggested minimal diff patches.
- Includes a clear audit workflow covering reconnaissance, concurrency, input validation, resource leaks, and more.
元数据
常见问题
Go Security Audit 是什么?
Perform a security audit of a Go codebase. Targets SSH servers, BBS systems, API services, and CLI tools. Finds race conditions, goroutine leaks, missing err... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 28 次。
如何安装 Go Security Audit?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install go-security-audit」即可一键安装,无需额外配置。
Go Security Audit 是免费的吗?
是的,Go Security Audit 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Go Security Audit 支持哪些平台?
Go Security Audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Go Security Audit?
由 forgou37(@forgou37)开发并维护,当前版本 v1.0.0。
推荐 Skills