PluginBench
Skill
Pass
Audit score 90

golang-safety

samber/cc-skills-golang

Defensive Golang coding to prevent panics, silent data corruption, and subtle runtime bugs.

What is golang-safety?

This skill teaches defensive Go engineering practices to catch common mistakes like nil panics, slice aliasing, map concurrent access, numeric overflow, and resource leaks. Use it when reviewing code for safety issues, encountering runtime crashes, or designing APIs that won't trap users into nil-related bugs.

  • Prevent nil interface traps and nil map/slice panics through safe initialization patterns
  • Detect and fix slice aliasing bugs caused by append reusing backing arrays
  • Identify numeric conversion overflow and float comparison pitfalls
  • Catch resource leaks from defer in loops and goroutine lifecycle issues
  • Design zero-value safe types and use sync.Once for lazy initialization
  • Return defensive copies from exported functions to protect internal state

How to install golang-safety

npx skills add https://github.com/samber/cc-skills-golang --skill golang-safety
Prerequisites
  • Go compiler (go binary) installed
  • Familiarity with Go basics (slices, maps, interfaces, goroutines)
Claude Code
Cursor
Windsurf
Cline

How to use golang-safety

  1. 1.Identify the safety concern: nil handling, slice/map aliasing, numeric conversion, resource lifecycle, or initialization
  2. 2.Consult the relevant section (Nil Safety, Slice & Map Safety, Numeric Safety, Resource Safety, Immutability & Defensive Copying, Initialization Safety)
  3. 3.Apply the recommended pattern: use comma-ok assertions, defensive copies, lazy initialization with sync.Once, or epsilon comparison for floats
  4. 4.Run linters (errcheck, forcetypeassert, nilerr, govet, staticcheck) to catch violations automatically
  5. 5.Test edge cases: nil values, empty collections, numeric boundaries, and concurrent access

Use cases

Good for
  • Debugging nil pointer panics in interface returns or map operations
  • Reviewing code for silent data corruption from shared slice backing arrays
  • Fixing numeric conversion bugs where int64 values wrap silently to int32
  • Preventing resource accumulation when defer is used inside loops
  • Designing APIs where the zero value is safe and usable without initialization
Who it's for
  • Go backend engineers building production systems
  • Code reviewers checking for latent safety bugs
  • API designers creating libraries with safe zero values
  • Teams using linters to enforce safety patterns

golang-safety FAQ

Why does returning a nil pointer in an interface not equal nil?

Interfaces store both a type descriptor and a value. A typed nil pointer (e.g., *MyHandler = nil) sets the type descriptor, making the interface non-nil even though the pointer is nil. Return nil explicitly instead of a typed nil pointer.

When does append cause silent data corruption?

When append reuses the backing array because capacity allows, both the original and new slice share memory. Modifying one corrupts the other. Use the full slice expression a[:len(a):len(a)] to force a new allocation.

Why do defer statements in loops cause resource leaks?

defer runs at function exit, not loop iteration. All deferred cleanup accumulates until the function returns. Extract the loop body into a separate function so defer runs per iteration.

How do I safely convert between numeric types?

Check bounds before converting. For int64 to int32, verify the value is between math.MinInt32 and math.MaxInt32. Silent wraparound can corrupt data without error.

What is the safest way to handle lazy initialization?

Use sync.Once to guarantee exactly-once initialization even under concurrency. Avoid nil checks and manual initialization which can race or be forgotten.

Full instructions (SKILL.md)

Source of truth, from samber/cc-skills-golang.


name: golang-safety description: "Defensive Golang coding to prevent panics, silent data corruption, and subtle runtime bugs. Use when encountering nil panics, append aliasing, map concurrent access, float comparison pitfalls, or zero-value design questions. Also use when reviewing code for nil-safety, numeric conversion overflow, resource lifecycle issues (defer in loops), or defensive copying of slices and maps." user-invocable: true license: MIT compatibility: Designed for Claude Code or similar AI coding agents, and for projects using Golang. metadata: author: samber version: "1.2.1" openclaw: emoji: "πŸ›‘" homepage: https://github.com/samber/cc-skills-golang requires: bins: - go install: [] allowed-tools: Read Edit Write Glob Grep Bash(go:) Bash(golangci-lint:) Bash(git:*) Agent

Persona: You are a defensive Go engineer. You treat every untested assumption about nil, capacity, and numeric range as a latent crash waiting to happen.

Go Safety: Correctness & Defensive Coding

Prevents programmer mistakes β€” bugs, panics, and silent data corruption in normal (non-adversarial) code. Security handles attackers; safety handles ourselves.

Best Practices Summary

  1. Prefer generics over any when the type set is known β€” compiler catches mismatches instead of runtime panics
  2. Always use safe type assertions β€” for normal interfaces use comma-ok (v, ok := x.(T)); for reflection in Go 1.25+ prefer reflect.TypeAssert[T](value) over value.Interface().(T).
  3. Typed nil pointer in an interface is not == nil β€” the type descriptor makes it non-nil
  4. Writing to a nil map panics β€” always initialize before use
  5. append may reuse the backing array β€” both slices share memory if capacity allows, silently corrupting each other
  6. Return defensive copies from exported functions β€” otherwise callers mutate your internals
  7. defer runs at function exit, not loop iteration β€” extract loop body to a function
  8. Integer conversions truncate silently β€” int64 to int32 wraps without error
  9. Float arithmetic is not exact β€” use epsilon comparison or math/big
  10. Design useful zero values β€” nil map fields panic on first write; use lazy init
  11. Use sync.Once for lazy init β€” guarantees exactly-once even under concurrency

Nil Safety

Nil-related panics are the most common crash in Go.

The nil interface trap

Interfaces store (type, value). An interface is nil only when both are nil. Returning a typed nil pointer sets the type descriptor, making it non-nil:

// βœ— Dangerous β€” interface{type: *MyHandler, value: nil} is not == nil
func getHandler() http.Handler {
    var h *MyHandler // nil pointer
    if !enabled {
        return h // interface{type: *MyHandler, value: nil} != nil
    }
    return h
}

// βœ“ Good β€” return nil explicitly
func getHandler() http.Handler {
    if !enabled {
        return nil // interface{type: nil, value: nil} == nil
    }
    return &MyHandler{}
}

Nil map, slice, and channel behavior

TypeIndex into nilWrite to nilLen/Cap of nilRange over nil
MapZero valuepanic00 iterations
Slicepanicpanic00 iterations
ChannelBlocks foreverBlocks forever0Blocks forever
// βœ— Bad β€” nil map panics on write
var m map[string]int
m["key"] = 1

// βœ“ Good β€” initialize or lazy-init in methods
m := make(map[string]int)

func (r *Registry) Add(name string, val int) {
    if r.items == nil { r.items = make(map[string]int) }
    r.items[name] = val
}

See Nil Safety Deep Dive for nil receivers, nil in generics, and nil interface performance.

Slice & Map Safety

Slice aliasing β€” the append trap

append reuses the backing array if capacity allows. Both slices then share memory:

// βœ— Dangerous β€” a and b share backing array
a := make([]int, 3, 5)
b := append(a, 4)
b[0] = 99 // also modifies a[0]

// βœ“ Good β€” full slice expression forces new allocation
b := append(a[:len(a):len(a)], 4)

Map concurrent access

Maps MUST NOT be accessed concurrently β€” β†’ see samber/cc-skills-golang@golang-concurrency for sync primitives.

See Slice and Map Deep Dive for range pitfalls, subslice memory retention, and slices.Clone/maps.Clone.

Numeric Safety

Implicit type conversions truncate silently

// βœ— Bad β€” silently wraps around if val > math.MaxInt32 (3B becomes -1.29B)
var val int64 = 3_000_000_000
i32 := int32(val) // -1294967296 (silent wraparound)

// βœ“ Good β€” check before converting
if val > math.MaxInt32 || val < math.MinInt32 {
    return fmt.Errorf("value %d overflows int32", val)
}
i32 := int32(val)

Float comparison

// βœ— Bad β€” floating point arithmetic is not exact
var a, b, c float64 = 0.1, 0.2, 0.3
a+b == c // false

// βœ“ Good β€” use epsilon comparison
const epsilon = 1e-9
math.Abs((a+b)-c) < epsilon // true

Division by zero

Integer division by zero panics. Float division by zero produces +Inf, -Inf, or NaN.

func avg(total, count int) (int, error) {
    if count == 0 {
        return 0, errors.New("division by zero")
    }
    return total / count, nil
}

For integer overflow as a security vulnerability, see the samber/cc-skills-golang@golang-security skill section.

Resource Safety

defer in loops β€” resource accumulation

defer runs at function exit, not loop iteration. Resources accumulate until the function returns:

// βœ— Bad β€” all files stay open until function returns
for _, path := range paths {
    f, _ := os.Open(path)
    defer f.Close() // deferred until function exits
    process(f)
}

// βœ“ Good β€” extract to function so defer runs per iteration
for _, path := range paths {
    if err := processOne(path); err != nil { return err }
}
func processOne(path string) error {
    f, err := os.Open(path)
    if err != nil { return err }
    defer f.Close()
    return process(f)
}

Goroutine leaks

β†’ See samber/cc-skills-golang@golang-concurrency for goroutine lifecycle and leak prevention.

Immutability & Defensive Copying

Exported functions returning slices/maps SHOULD return defensive copies.

Protecting struct internals

// βœ— Bad β€” exported slice field, anyone can mutate
type Config struct {
    Hosts []string
}

// βœ“ Good β€” unexported field with accessor returning a copy
type Config struct {
    hosts []string
}

func (c *Config) Hosts() []string {
    return slices.Clone(c.hosts)
}

Initialization Safety

Zero-value design

Design types so var x MyType is safe β€” prevents "forgot to initialize" bugs:

var mu sync.Mutex   // βœ“ usable at zero value
var buf bytes.Buffer // βœ“ usable at zero value

// βœ— Bad β€” nil map panics on write
type Cache struct { data map[string]any }

sync.Once for lazy initialization

type DB struct {
    once sync.Once
    conn *sql.DB
}

func (db *DB) connection() *sql.DB {
    db.once.Do(func() {
        db.conn, _ = sql.Open("postgres", connStr)
    })
    return db.conn
}

init() function pitfalls

β†’ See samber/cc-skills-golang@golang-design-patterns for why init() should be avoided in favor of explicit constructors.

Enforce with Linters

Many safety pitfalls are caught automatically by linters: errcheck, forcetypeassert, nilerr, govet, staticcheck. See the samber/cc-skills-golang@golang-lint skill for configuration and usage.

Go 1.25+ reflection type assertions

For reflection code, prefer reflect.TypeAssert[T] over value.Interface().(T).

v := reflect.ValueOf(x)
if s, ok := reflect.TypeAssert[string](v); ok {
    use(s)
}

Cross-References

  • β†’ See samber/cc-skills-golang@golang-concurrency skill for concurrent access patterns and sync primitives
  • β†’ See samber/cc-skills-golang@golang-data-structures skill for slice/map internals, capacity growth, and container/ packages
  • β†’ See samber/cc-skills-golang@golang-error-handling skill for nil error interface trap
  • β†’ See samber/cc-skills-golang@golang-security skill for security-relevant safety issues (memory safety, integer overflow)
  • β†’ See samber/cc-skills-golang@golang-troubleshooting skill for debugging panics and race conditions

Common Mistakes

MistakeFix
Bare type assertion v := x.(T)Panics on type mismatch, crashing the program. Use v, ok := x.(T) to handle gracefully
Returning typed nil in interface functionInterface holds (type, nil) which is != nil. Return untyped nil for the nil case
Writing to a nil mapNil maps have no backing storage β€” write panics. Initialize with make(map[K]V) or lazy-init
Assuming append always copiesIf capacity allows, both slices share the backing array. Use s[:len(s):len(s)] to force a copy
defer in a loopdefer runs at function exit, not loop iteration β€” resources accumulate. Extract body to a separate function
int64 to int32 without bounds checkValues wrap silently (3B β†’ -1.29B). Check against math.MaxInt32/math.MinInt32 first
Comparing floats with ==IEEE 754 representation is not exact (0.1+0.2 != 0.3). Use math.Abs(a-b) < epsilon
Integer division without zero checkInteger division by zero panics. Guard with if divisor == 0 before dividing
Returning internal slice/map referenceCallers can mutate your struct's internals through the shared backing array. Return a defensive copy
Multiple init() with ordering assumptionsinit() execution order across files is unspecified. β†’ See samber/cc-skills-golang@golang-design-patterns β€” use explicit constructors
Blocking forever on nil channelNil channels block on both send and receive. Always initialize before use

Cross-References

  • β†’ See samber/cc-skills-golang@golang-continuous-integration skill for automated AI-driven code review in CI using these guidelines