← 返回 Skills 市场

Go Security Vulnerability

Name: Go Security Vulnerability
Author: irook661

作者 irook661 · GitHub ↗ · v0.1.0

cross-platform ✓ 安全检测通过

1888

总下载

当前安装

版本数

在 OpenClaw 中安装

/install go-security-vulnerability

功能描述

Identify, assess, and fix security vulnerabilities in Go modules using govulncheck. Handle common vulnerabilities like JWT issues and ensure application stability during fixes.

使用说明 (SKILL.md)

Go Security Vulnerability Skill

Use Go tooling to identify, assess, and fix security vulnerabilities in Go modules. This skill helps detect and remediate vulnerabilities while maintaining application functionality.

Vulnerability Detection

Scan for vulnerabilities in your Go project:

go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...

Check specific modules for known vulnerabilities:

govulncheck -show verbose ./...

Assessment Process

Identify Affected Packages: Determine which dependencies contain vulnerabilities
Check Severity: Review the CVE details and potential impact
Verify Usage: Confirm if the vulnerable functions are actually used in your code
Plan Remediation: Choose the appropriate fix strategy

Common Fix Strategies

Direct Dependency Update

Update vulnerable packages to secure versions:

go get -u vulnerable/package@latest
go mod tidy

Transitive Dependency Handling

For vulnerabilities in transitive dependencies:

go mod why vulnerable/package  # Understand why it's included
go mod edit -replace vulnerable/package=newer-version  # Replace if needed
go mod tidy

Removal Strategy

If a dependency is unused or can be replaced:

Remove direct imports of the vulnerable code
Run go mod tidy to clean up unused dependencies
Verify application functionality remains intact

Verification Steps

After applying fixes:

# Verify no vulnerabilities remain
govulncheck ./...

# Ensure application still builds
go build ./...

# Run tests to verify functionality
go test ./...

Common Vulnerabilities

JWT Libraries

Issue: github.com/golang-jwt/jwt GO-2025-3553 (excessive memory allocation)
Fix: Update to newer version or switch to golang.org/x/oauth2 alternatives

Standard Library Updates

Keep Go version updated for security patches
Run go vuln to check for stdlib vulnerabilities

Best Practices

Regularly scan dependencies with govulncheck
Keep dependencies updated with go get -u
Use go mod tidy to remove unused dependencies
Test thoroughly after vulnerability fixes
Monitor for new vulnerabilities with automated tools

安全使用建议

This skill is coherent with its purpose, but review and control any install steps before running. Specifically: 1) Do not run the curl | tar install blindly — prefer installing Go via your OS package manager, an official installer you verify, or run the script in a controlled environment; the script writes to /usr/local and may require root and can overwrite an existing Go install. 2) When applying fixes (go get -u, go mod edit -replace), work on a branch, run go build/tests and CI, and review diff/commit history — updating dependencies can break behavior. 3) Because the skill is instruction-only, there's no code to audit beyond SKILL.md; if you plan to let an agent execute these steps autonomously, ensure it runs in a sandboxed or CI environment and that you review any network downloads. 4) If you prefer lower risk, pre-install a vetted Go toolchain yourself and only allow the skill to run govulncheck and suggest remediation commands for manual approval.

功能分析

Type: OpenClaw Skill Name: go-security-vulnerability Version: 0.1.0 The skill bundle is designed to identify and fix Go security vulnerabilities using official Go tooling. The `SKILL.md` includes an installation step that uses `curl -L https://golang.org/dl/go1.21.5.linux-amd64.tar.gz | tar -C /usr/local -xzf -` to install Go. While `curl | tar` is a powerful command, it sources from the official `golang.org` domain and is a standard method for installing Go, aligning with the skill's purpose. All other commands are standard `go` and `govulncheck` operations. There is no evidence of data exfiltration, malicious execution, persistence, obfuscation, or prompt injection attempts against the agent.

能力评估

✓ Purpose & Capability

Name/description (Go vulnerability scanning & fixes) align with required binaries (go) and the SKILL.md instructions (install and run govulncheck, update go.mod, run go build/test). Requested capabilities are coherent with the stated purpose.

ℹ Instruction Scope

Instructions are focused on scanning (govulncheck), determining impacted packages, and remediation (go get -u, go mod edit -replace, go mod tidy). They explicitly modify project files (go.mod) and pull code from public module sources — this is expected, but the skill's guidance to update to latest versions can break builds if not tested; the SKILL.md sensibly includes verification steps (build/tests).

⚠ Install Mechanism

The install spec is a shell script that pipes curl to tar and extracts an official Go tarball into /usr/local. Although the source domain (golang.org) is legitimate, piping network content directly into tar and writing to /usr/local (requires elevated privileges and can overwrite existing Go installations) raises operational and supply-chain risk. This is a higher-risk install mechanism compared with using a package manager or vetted release installer.

✓ Credentials

The skill requests no environment variables or external credentials. That is proportional — both govulncheck and the remediation steps do not inherently require secrets. No unrelated credentials or config paths are requested.

✓ Persistence & Privilege

always is false and the skill is user-invocable only; it does not request persistent system-wide configuration beyond installing Go (via the provided script). The install will create binaries in the system, but the skill does not demand elevated persistent privileges or modify other skills' configs.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install go-security-vulnerability
安装完成后，直接呼叫该 Skill 的名称或使用 /go-security-vulnerability 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.0

Initial release of go-security-vulnerability skill. - Adds vulnerability detection using govulncheck on Go modules. - Guides users through assessment and prioritization of security issues. - Provides step-by-step instructions for fixing direct and transitive dependency vulnerabilities. - Covers strategies for removing unused dependencies and verifying application stability after fixes. - Includes best practices for ongoing security monitoring and guidance for handling common issues like JWT vulnerabilities.

元数据

Slug go-security-vulnerability

版本 0.1.0

许可证 —

累计安装 2

当前安装数 2

历史版本数 1

常见问题