golang-security
Security best practices and vulnerability prevention for Golang. Covers injection (SQL, command, XSS), cryptography, filesystem safety, network security, cookies, secrets management, memory safety, and logging. Apply when writing, reviewing, or auditing Go code for security, or when working on any risky code involving crypto, I/O, secrets management, user input handling, or authentication. Includes configuration of security tools.
88
85%
Does it follow best practices?
Impact
96%
1.39xAverage score across 3 eval scenarios
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its scope (Go security best practices), enumerates specific capability areas, and provides explicit trigger conditions. It uses third-person voice appropriately and includes natural keywords that developers would use when seeking security guidance for Go code.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and domains: injection types (SQL, command, XSS), cryptography, filesystem safety, network security, cookies, secrets management, memory safety, logging, and security tools configuration. | 3 / 3 |
Completeness | Clearly answers both 'what' (security best practices covering injection, crypto, filesystem, network, cookies, secrets, memory, logging) and 'when' ('Apply when writing, reviewing, or auditing Go code for security, or when working on any risky code involving crypto, I/O, secrets management, user input handling, or authentication'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'SQL', 'XSS', 'command injection', 'crypto', 'secrets management', 'user input handling', 'authentication', 'Go code', 'security', 'auditing'. Good coverage of terms a developer would use when seeking security guidance for Go. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to Golang security specifically, with distinct triggers around Go code security auditing, vulnerability prevention, and specific security domains. Unlikely to conflict with general Go coding skills or security skills for other languages. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
70%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured security skill that excels at progressive disclosure and workflow clarity, with clear modes of operation and well-organized references to detailed content. Its main weaknesses are moderate verbosity (explaining concepts Claude already knows like STRIDE acronym expansion and basic crypto weaknesses) and limited actionability in the main file itself — most concrete code examples are deferred to reference files, leaving the main skill somewhat abstract despite good procedural guidance.
Suggestions
Add 1-2 inline executable Go code examples for the most critical vulnerabilities (e.g., parameterized SQL query, secure exec.Command usage) rather than deferring all code to reference files.
Trim explanatory text that Claude already knows — e.g., remove STRIDE letter-by-letter expansion, remove explanations like 'Both have known collision attacks and are fast to brute-force' in the Common Mistakes table, and trust Claude to understand why these are problems.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is generally well-organized but includes some unnecessary explanatory content that Claude already knows (e.g., explaining what STRIDE stands for, explaining why MD5 is bad, explaining what defense in depth means). The 'Security Thinking Model' and 'Research Before Reporting' sections add value but could be tighter. The tables are efficient, but the overall document is on the verbose side for a skill that delegates most detail to reference files. | 2 / 3 |
Actionability | The skill provides concrete tool commands (gosec, govulncheck, go test -race) and a useful quick reference table, but most actionable content is deferred to reference files. The main skill body contains no executable Go code examples for the vulnerabilities it lists — the 'Common Mistakes' table says what to do but doesn't show how. The audit/review mode descriptions are procedural but lack concrete step-by-step commands. | 2 / 3 |
Workflow Clarity | The three modes (Review, Audit, Coding) are clearly defined with distinct workflows. The audit mode specifies parallel sub-agents with explicit domains. The 'Research Before Reporting' section provides a clear 4-step investigation workflow with severity adjustment guidance and documentation requirements. The review mode includes tracing data flows beyond the diff. Validation is addressed through tooling (gosec, race detector, govulncheck). | 3 / 3 |
Progressive Disclosure | Excellent progressive disclosure — the main skill provides a concise overview with quick reference tables, then clearly signals 11 one-level-deep reference files covering specific domains. Each reference link includes a brief description of what it covers. The checklist, threat modeling guide, and architecture references are all clearly signaled and appropriately separated. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_field | 'metadata' should map string keys to string values | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Repository
- samber/cc-skills-golang
- Commit
b88f91d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.