go-nolint-audit

Pass

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes data from untrusted Go source files to conduct an analytical debate. A malicious codebase could contain crafted comments designed to manipulate the agent's evaluation logic or provide misleading context.\n
  • Ingestion points: Reads *.go files using grep in SKILL.md.\n
  • Boundary markers: Absent; the instructions do not specify delimiters or warnings to ignore instructions embedded in the source code.\n
  • Capability inventory: Executes shell commands via grep and golangci-lint, and proposes code changes to the user.\n
  • Sanitization: Absent; the skill does not include steps to sanitize or validate the extracted comments before processing them.\n- [COMMAND_EXECUTION]: The skill instructs the agent to construct shell commands for golangci-lint using lint rule names and file paths parsed from the source code. If a malicious file contains shell metacharacters within a //nolint: directive or in its filename, it could result in command injection when the agent attempts to verify the suppression.\n- [EXTERNAL_DOWNLOADS]: The skill references the official installation documentation for golangci-lint at https://golangci-lint.run/welcome/install/. This is a well-known and trusted service for the Go ecosystem and does not contribute to verdict escalation.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 17, 2026, 03:37 AM
Security Audit — agent-trust-hub — go-nolint-audit