golang-security
Security best practices and vulnerability prevention for Golang. Covers injection (SQL, command, XSS), cryptography, filesystem safety, network security, cookies, secrets management, memory safety, and logging. Apply when writing, reviewing, or auditing Go code for security, or when working on any risky code involving crypto, I/O, secrets management, user input handling, or authentication. Includes configuration of security tools.
87
85%
Does it follow best practices?
Impact
95%
1.35xAverage score across 3 eval scenarios
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its scope (Go security best practices), enumerates specific capability areas, and provides explicit trigger guidance for when to apply it. It uses third-person voice appropriately and covers both the 'what' and 'when' dimensions thoroughly. The only minor improvement could be mentioning file extensions like '.go' as an additional trigger term.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and domains: injection types (SQL, command, XSS), cryptography, filesystem safety, network security, cookies, secrets management, memory safety, logging, and security tools configuration. | 3 / 3 |
Completeness | Clearly answers both 'what' (security best practices covering injection, crypto, filesystem, network, cookies, secrets, memory, logging) and 'when' ('Apply when writing, reviewing, or auditing Go code for security, or when working on any risky code involving crypto, I/O, secrets management, user input handling, or authentication'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'SQL', 'XSS', 'command injection', 'crypto', 'secrets management', 'user input handling', 'authentication', 'Go code', 'security', 'auditing'. Good coverage of terms a developer would use when seeking security guidance for Go. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to Golang security specifically, with distinct triggers around Go code security auditing, vulnerability prevention, and specific security domains. Unlikely to conflict with general Go coding skills or security skills for other languages. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
70%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured security skill that excels at progressive disclosure and workflow clarity, with clear modes of operation and a comprehensive reference architecture. Its main weakness is that actionable code examples are almost entirely deferred to reference files, leaving the main skill body with tables of descriptions rather than executable patterns. The content is mostly concise but could trim some explanatory text that Claude doesn't need (e.g., explaining why MD5 is bad or what STRIDE stands for).
Suggestions
Add 2-3 inline executable code examples for the most critical patterns (parameterized SQL query, safe exec.Command usage, crypto/rand token generation) rather than deferring all examples to reference files.
Trim explanatory text in the Common Mistakes and Anti-Patterns tables — the 'why' columns often explain things Claude already knows; focus on the pattern-to-fix mapping.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some unnecessary framing (e.g., the 'Security Thinking Model' section explains concepts Claude already knows about threat modeling). The tables and quick reference are dense and useful, but the anti-patterns and common mistakes tables have some redundancy with each other and with the referenced files. The persona/modes preamble adds value but is slightly verbose. | 2 / 3 |
Actionability | The skill provides concrete tool commands (gosec, govulncheck, go test -race) and a useful quick-reference table mapping vulnerabilities to standard library solutions. However, it lacks executable code examples for the most critical patterns (e.g., no parameterized SQL example, no exec.Command safe usage example) — those are deferred to reference files. The tables describe fixes in prose rather than showing them. | 2 / 3 |
Workflow Clarity | The three modes (Review, Audit, Coding) are clearly defined with distinct workflows. The audit mode specifies parallel sub-agents with explicit domains. The 'Research Before Reporting' section provides a clear 4-step validation workflow with severity adjustment guidance and documentation requirements. The review mode includes tracing data flows beyond the diff, which is a validation checkpoint. | 3 / 3 |
Progressive Disclosure | Excellent progressive disclosure structure: the main file serves as a clear overview with a quick-reference table, then points to 12 well-organized reference files covering specific domains (cryptography, injection, filesystem, etc.). References are one level deep, clearly signaled with descriptive labels, and organized logically. Cross-references to other skills are also included. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_field | 'metadata' should map string keys to string values | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Repository
- samber/cc-skills-golang
- Commit
e9761db
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.