env-secrets-manager
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A poisoned or malformed secret value could cause commands to run on the user's machine or in CI while the user is only trying to load environment variables.
The documented secret-loading workflow uses shell eval on data returned from a secret manager. Secret names or values containing shell metacharacters could be interpreted as commands when this is run.
eval $(vault kv get -format=json secret/myapp/prod | jq -r ...)
Do not use eval for secret-manager output. Prefer provider-native run/injection commands, SDK-based loading, or a carefully quoted env-file workflow that validates variable names and treats values as data.
A scan intended to find secrets could accidentally further expose those secrets to logs or the agent transcript.
The secret scanning script prints matched lines from staged changes, which can include the actual secret values. In an agent-driven workflow, those values may enter terminal logs, CI logs, or conversation context.
echo "$matches" | head -5
Redact matched values by default, show only file names and line numbers when possible, and avoid pasting real secret scan output into shared chats or tickets.
If run with overly broad tokens or cloud roles, the workflow can read or modify important application secrets.
The skill documents use of privileged secret-manager credentials and also includes AWS SSM decryption/write examples. This is expected for the stated purpose but gives access to sensitive production secrets.
export VAULT_TOKEN="$(vault login -method=oidc -format=json | jq -r '.auth.client_token')"
Use least-privilege roles, scope tokens to the needed app/environment, avoid sharing command output, and require human approval before production secret writes or rotations.
Future commits may be blocked or existing hooks may be overwritten if the hook is installed without review.
The optional hook installer creates an executable pre-commit hook that will run on future commits. This is disclosed and purpose-aligned, but it is persistent local behavior.
HOOK_PATH=".git/hooks/pre-commit" ... chmod +x "$HOOK_PATH"
Review the hook before installing, back up any existing pre-commit hook, and prefer a team-managed pre-commit framework configuration.
Running these commands incorrectly can disrupt collaborators, branches, and repository history.
The rotation playbook includes repository history rewriting and force-pushing all branches. The artifact warns to coordinate with the team, so this is disclosed, but the blast radius is high.
git filter-repo --path-glob "*.env" --invert-paths ... git push origin --force --all
Treat history rewrite and force-push steps as manual incident-response actions only; get team approval, create backups, test on a clone, and document recovery steps.