Is irook661/go-linter-configuration safe?

https://github.com/openclaw/skills/tree/main/skills/irook661/go-linter-configuration

91
SAFE

The go-linter-configuration skill by irook661 is a documentation-only skill providing golangci-lint configuration templates and CI/CD workflow examples. No prompt injection, data exfiltration, or malicious behaviors were detected; canary files remained fully intact and network activity during clone was limited to expected GitHub HTTPS connections. Minor concerns include the golangci-lint install script referencing an unpinned master branch URL (mild supply chain risk) and a Go download targeting the wrong CPU architecture (amd64 vs arm64), both of which are quality deficiencies rather than security threats.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (4)

LOW golangci-lint Install Script Uses Unpinned master Branch URL -12

The metadata install script fetches the golangci-lint installer from 'https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh' — the master branch rather than a specific commit hash. While the binary version is pinned (v1.59.1), the installer script itself is floating. A compromise of the golangci-lint repository's master branch could result in arbitrary code execution on install.

LOW Go Download Targets Wrong CPU Architecture -6

The Go install script downloads go1.21.5.linux-amd64.tar.gz and extracts it to /usr/local, but the audit VM is aarch64/arm64 (evidenced by /usr/lib/aarch64-linux-gnu paths throughout the process execution log). The installed binary would be non-functional. This is a functional defect demonstrating untested install scripts rather than a security concern, but it erodes confidence in the skill's quality controls.

INFO Canary File Access Events in auditd — Attributed to Audit Infrastructure -10

auditd PATH records show two sets of accesses to all six honeypot credential files. The first set (timestamp 1771931912.364) occurs at the very start of monitoring before any skill activity, consistent with the audit framework recording baseline state. The second set (1771931934.705) occurs after skill installation, consistent with a final integrity check. No EXECVE event at these timestamps matches skill-executed code. Canary integrity check confirms all files intact.

INFO Network Activity Limited to Expected Infrastructure -5

The clone operation contacted only github.com (140.82.112.3) for the sparse git checkout. Additional connections to Canonical update servers and the openclaw-gatewa process are attributable to VM OS services and audit infrastructure respectively. No DNS queries to unexpected domains and no outbound connections from skill-originated processes were observed.