ClawHub

Env Config Validator

Security checks across malware telemetry and agentic risk

Overview

This is a local .env validation tool, but its schema and report workflows can persist real secrets into files users may commit or share.

Install only if you are comfortable with the tool reading explicitly selected .env files. Do not generate schemas or JSON diff reports from production or secret-bearing files unless you review and redact the output before saving, committing, uploading, or sharing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrases are broad and overlap with many normal configuration-help requests, which can cause the skill to activate unexpectedly. Because this skill reads sensitive .env files and may generate outputs, overbroad invocation increases the chance of unnecessary secret exposure or unintended file operations in contexts where the user did not explicitly request them.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill advertises schema generation and output-file support without warning that these operations write artifacts to disk. While not inherently malicious, omitting this disclosure can lead to unintended file creation, overwriting, or persistence of derived data from sensitive environment files.

Credential Access

High
Category
Privilege Escalation
Content
# --- .env parser ---

def parse_env_file(path):
    """Parse a .env file and return list of (key, value, raw_line, line_num)."""
    entries = []
    try:
        with open(path, 'r') as f:
Confidence
85% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
return json.load(f)

def generate_schema(entries, output_path=None):
    """Generate a schema from existing .env entries."""
    schema = {'variables': {}}

    for key, value, raw, line_num, status in entries:
Confidence
90% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
# Validation mode
    if not args.env_file:
        parser.error("Provide a .env file to validate, or use --diff or --generate-schema")

    entries = parse_env_file(args.env_file)
Confidence
87% confidence
Finding
.env

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal