golang-security
Security best practices and vulnerability prevention for Golang. Covers injection (SQL, command, XSS), cryptography, filesystem safety, network security, cookies, secrets management, memory safety, and logging. Apply when writing, reviewing, or auditing Go code for security, or when working on any risky code involving crypto, I/O, secrets management, user input handling, or authentication. Includes configuration of security tools.
88
85%
Does it follow best practices?
Impact
98%
1.10xAverage score across 3 eval scenarios
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its scope (Go security), lists specific capability areas comprehensively, and provides explicit trigger guidance with an 'Apply when...' clause. The description uses proper third-person voice and includes natural keywords that users would employ when seeking security guidance for Go code.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and domains: injection types (SQL, command, XSS), cryptography, filesystem safety, network security, cookies, secrets management, memory safety, logging, and security tools configuration. | 3 / 3 |
Completeness | Clearly answers both 'what' (security best practices covering injection, crypto, filesystem safety, etc.) and 'when' ('Apply when writing, reviewing, or auditing Go code for security, or when working on any risky code involving crypto, I/O, secrets management, user input handling, or authentication'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'SQL', 'XSS', 'crypto', 'secrets management', 'user input handling', 'authentication', 'Go code', 'security', 'vulnerability', 'auditing'. Good coverage of terms across security domains. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to Golang security specifically, with distinct triggers around Go code + security concerns. The combination of language-specific (Golang) and domain-specific (security) focus makes it unlikely to conflict with general Go skills or general security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
70%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured security skill with excellent progressive disclosure and clear workflow definitions for three distinct operating modes. Its main weakness is that the body itself is light on executable Go code examples — nearly all concrete code is delegated to reference files — and some content is somewhat verbose with overlapping tables. The skill would benefit from a few inline secure/insecure code pairs to make the main body more immediately actionable without requiring reference file lookups.
Suggestions
Add 2-3 inline Go code examples showing secure vs insecure patterns (e.g., parameterized SQL query, safe exec.Command usage) so the main body is actionable without requiring reference file access.
Consolidate the 'Common Mistakes' and 'Security Anti-Patterns' tables — several entries overlap conceptually (e.g., crypto errors, rolling your own crypto) and could be merged to reduce token usage.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is generally well-organized and avoids explaining basic Go concepts, but includes some redundancy — the severity levels appear in multiple tables, DREAD is mentioned repeatedly, and some sections like 'Security Thinking Model' and 'Research Before Reporting' are somewhat verbose for what Claude already understands about security analysis. The anti-patterns and common mistakes tables overlap conceptually. However, most content earns its place. | 2 / 3 |
Actionability | The quick reference table and common mistakes table provide concrete guidance, and the tooling section has executable commands. However, the skill heavily delegates to reference files for actual code examples and detailed implementation. The main body lacks executable Go code snippets showing secure vs insecure patterns — it describes what to do rather than showing how. The audit/review mode descriptions are procedural but lack concrete examples of output format or specific grep patterns. | 2 / 3 |
Workflow Clarity | The three modes (Review, Audit, Coding) are clearly defined with distinct workflows. The audit mode specifies parallel sub-agents with five explicit domains. The 'Research Before Reporting' section provides a clear 4-step investigation workflow with severity adjustment guidance and documentation requirements. The review mode traces data flows sequentially. Validation is addressed through tooling (gosec, govulncheck, race detector) and the checklist reference. | 3 / 3 |
Progressive Disclosure | Excellent progressive disclosure structure — the main skill provides a concise overview with quick reference tables, then clearly signals 11+ reference files organized by domain (cryptography, injection, filesystem, etc.) with descriptive one-line summaries. References are one level deep and well-organized. Cross-references to other skills are clearly marked. The checklist is appropriately separated into its own reference file. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_field | 'metadata' should map string keys to string values | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Repository
- samber/cc-skills-golang
- Commit
8c7e016
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.