Why this matters
The bug. Slices in Go are zero-indexed with valid indices [0, len(arr)). The guard should reject idx == len(arr), but > only rejects strictly greater. The exact boundary case slips through and the fallback line never runs — the function panics at arr[idx] instead.
The fix. Use >= (or > len(arr) - 1, which is uglier and breaks for empty slices). Negative indices also need rejecting if idx can be a user input; the puzzle accepts the variant with || idx < 0.
Heuristic. Whenever you write a bounds check, ask: 'what if idx equals the length exactly?' This boundary is where fencepost bugs live.
Review heuristic
When a comparison involves <, <=, >, >=, or -1, work the boundary case by hand: what happens with zero items? One item? n+1 items? Pagination, buffer length, and recursion are the three places where the bug is most likely.
External reference: CWE-193: Off-by-one Error.