golang-continuous-integration

Pass

Audited by Gen Agent Trust Hub on May 24, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The AI code review workflows utilize npx skills add to fetch specialized Go guidelines from the author's official GitHub repository (samber/cc-skills-golang). This is a documented method for extending the agent's capabilities with project-specific context.
  • [DATA_EXFILTRATION]: All provided GitHub Action templates follow industry best practices for data security, such as using secrets.GITHUB_TOKEN and dedicated repository secrets (e.g., ANTHROPIC_API_KEY, DOCKERHUB_TOKEN) rather than hardcoded credentials.
  • [INDIRECT_PROMPT_INJECTION]: The skill implements AI-powered PR reviews that process untrusted data from the repository (diffs, descriptions, and comments). This creates a known surface for indirect prompt injection where malicious PR content could attempt to influence the reviewer's output. The skill mitigates this through clear prompt scoping and explicit guidance on repository security settings, such as restricting fork PR workflows.
  • [REMOTE_CODE_EXECUTION]: The workflow templates use well-known, version-pinned GitHub Actions from established organizations (e.g., actions/checkout, golangci/golangci-lint-action, securego/gosec, anthropics/claude-code-action). The release and deployment pipelines are restricted to trusted triggers such as tag pushes and protected branches.
Audit Metadata
Risk Level
SAFE
Analyzed
May 24, 2026, 06:49 AM
Security Audit — agent-trust-hub — golang-continuous-integration