>_SkillsHub

> golang-security

Secure Go backend services against common vulnerabilities. Use when implementing input validation, crypto, or SQL injection prevention in Go. (triggers: crypto/rand, argon2, sanitize, jwt, bcrypt, validation, input validation, sql injection)

fetch
$curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/golang-security?format=md"
SKILL.mdgolang-security

Golang Security Standards

Priority: P0 (CRITICAL)

Implementation Guidelines

Input Validation

  • Validation: Use go-playground/validator or google/go-cmp for struct validation.
  • Sanitization: Sanitize user input before processing. Use bluemonday for HTML sanitization.

Cryptography

  • Random: ALWAYS use crypto/rand, NEVER math/rand for security-sensitive operations (tokens, keys, IVs).
  • Hashing: Use Argon2id for password hashing (golang.org/x/crypto/argon2). Do NOT use bcrypt (weaker) or MD5/SHA1 (insecure). Recommended params: time=1, memory=64MB, threads=4.
  • Encryption: Use crypto/aes with GCM mode for authenticated encryption.

SQL Injection Prevention

  • Parameterized Queries: ALWAYS use $1, $2 placeholders with database/sql or ORM (GORM, sqlx).
  • No String Concatenation: Never build queries with fmt.Sprintf().

Authentication

  • JWT: Use golang-jwt/jwt v5+. Enforce RS256 (preferred) or HS256. Reject none and symmetric algorithms for multi-service auth. Validate alg, iss, aud, exp claims.
  • Sessions: Use secure, httpOnly cookies with gorilla/sessions.

Secret Management

  • Environment Variables: Load secrets via godotenv or Kubernetes secrets.
  • No Hardcoding: Never commit API keys, passwords, or tokens to Git.

Anti-Patterns

  • No math/rand for Security: RNG is predictable. Use crypto/rand.
  • No fmt.Sprintf() for SQL: Causes SQL injection. Use placeholders.
  • No bcrypt or MD5 for Passwords: Use argon2id exclusively.
  • No Exposed Error Details: Don't leak stack traces to clients in production.

References

> related_skills --same-repo

> common-store-changelog

Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve

> golang-tooling

Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)

> common-ui-design

Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)

> common-owasp

OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)

┌ stats

installs/wk0
░░░░░░░░░░
github stars452
██████████
first seenMar 17, 2026
└────────────

┌ repo

HoangNguyen0403/agent-skills-standard
by HoangNguyen0403
└────────────

┌ tags

#auth#backend#go#security#sql
└────────────