dancon-secure-coder-go
ALWAYS use this skill whenever generating, writing, reviewing, editing, or modifying Go (.go) code in any context. This skill ensures all generated Go code avoids the CWE Top 25 2025 weaknesses that apply to Go, and that every piece of Go code includes appropriate input validation, thorough error handling, and safe error messages that never leak passwords, tokens, API keys, or other secrets. The Go `unsafe` package is absolutely prohibited and must never appear in generated code. Trigger on ANY Go code generation -- there are no exceptions. Even trivial examples and one-off snippets must follow these rules. If the user asks for Go code, read this skill first.
87
83%
Does it follow best practices?
Impact
94%
1.14xAverage score across 3 eval scenarios
Passed
No known issues
Quality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a reasonably well-written skill description that clearly communicates both what it does (enforces secure Go coding practices) and when to use it (any Go code generation or modification). Its main strengths are the explicit trigger guidance and good coverage of natural keywords. Its weaknesses are the somewhat generic security practices that could overlap with other security-focused skills, and the use of imperative/second-person voice ('ALWAYS use this skill', 'If the user asks') rather than third-person descriptive voice.
Suggestions
Rewrite in third-person voice (e.g., 'Enforces secure coding practices for Go (.go) code generation and modification') instead of imperative/second-person ('ALWAYS use this skill whenever...').
Improve distinctiveness by emphasizing what makes this specifically a Go security skill versus a general secure coding skill — e.g., mention Go-specific concerns like goroutine safety, Go-specific CWE patterns, or Go standard library security considerations.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (Go code) and several actions (generating, writing, reviewing, editing, modifying), and mentions specific practices like input validation, error handling, safe error messages, and prohibition of the `unsafe` package. However, the actions are more about coding practices/constraints than concrete discrete capabilities, making it somewhat but not fully specific. | 2 / 3 |
Completeness | Clearly answers both 'what' (ensures Go code avoids CWE Top 25 weaknesses, includes input validation, error handling, safe error messages, prohibits unsafe package) and 'when' (explicitly states 'ALWAYS use this skill whenever generating, writing, reviewing, editing, or modifying Go (.go) code in any context' and 'Trigger on ANY Go code generation'). The 'when' clause is very explicit. | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms: 'Go', '.go', 'Go code', 'generating', 'writing', 'reviewing', 'editing', 'modifying'. These are terms users would naturally use when requesting Go code work. Also mentions specific technical terms like 'CWE Top 25', 'input validation', 'error handling', 'unsafe package' that are relevant. | 3 / 3 |
Distinctiveness Conflict Risk | While it's clearly scoped to Go code specifically (which helps), the security-focused nature could overlap with a general secure coding skill or a broader code review skill. The Go-specific focus and .go file extension help distinguish it, but the security practices described are somewhat generic across languages. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
85%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, token-efficient security skill that uses tables and checklists effectively to convey dense information. Its main strength is the progressive disclosure pattern — a quick-reference table for common cases with clear pointers to detailed reference files. The primary weakness is the absence of any inline executable code examples; all concrete code is deferred to reference files, which slightly reduces immediate actionability.
Suggestions
Add 1-2 minimal inline code examples for the most common patterns (e.g., parameterized SQL query, safe error handling) so the skill is immediately actionable without requiring reference file lookups.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Every section earns its place. The table format is extremely token-efficient for conveying CWE-to-rule mappings. No unnecessary explanations of what CWEs are or how Go works. The checklist is dense but each item is actionable and non-obvious. | 3 / 3 |
Actionability | The quick-reference table provides specific function names and patterns (e.g., `filepath.Abs + strings.HasPrefix`, `exec.Command(name, arg1, arg2)`), which is concrete. However, the skill itself contains no executable code examples — all examples are deferred to reference files. The checklist is actionable but the main body lacks copy-paste-ready code. | 2 / 3 |
Workflow Clarity | The mandatory checklist at the end provides a clear validation workflow with an explicit feedback loop: 'If any check fails, fix the issue and re-run the full checklist before presenting code.' The checklist is well-categorized and sequenced logically from unsafe checks through errors, input validation, runtime safety, and application security. | 3 / 3 |
Progressive Disclosure | Excellent structure: quick-reference table for fast lookup, core principles for orientation, and clearly signaled one-level-deep references to three specific files (cwe-web.md, cwe-system.md, error-and-input.md) with explicit content descriptions. The guidance to 'read these when the quick-reference table is insufficient' is well-calibrated. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- danielyan-consulting/skills
- Commit
9d79cb6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.