ClawHub

Render Env Guard

v1.0.0

Preflight-check Render service environment variables before deploys; catches missing keys and placeholder/template values that commonly break production roll...

0· 270·0 current·0 all-time
byDaniel Lummis@daniellummis
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the observed behavior: the script uses RENDER_API_KEY to call Render API, resolve a service, pull env vars, and validate keys. Required binaries (curl, python3) are appropriate for the HTTP requests and JSON parsing.
Instruction Scope
SKILL.md and scripts instruct only to call the Render API endpoints, parse service and env-var JSON, and report PASS/FAIL. The script uses only declared/expected environment variables and does not read unrelated system files or send data to third-party endpoints.
Install Mechanism
No install spec; the skill is instruction-only with an included shell script. Nothing is downloaded or installed at runtime by the skill itself.
Credentials
Only RENDER_API_KEY is required (plus optional Render-specific inputs). No unrelated credentials or unexpected secrets are requested. The RENDER_API_KEY is used appropriately to authenticate API calls.
Persistence & Privilege
always is false and the skill does not attempt to persist configuration or modify other skills. Autonomous invocation is allowed by default but is normal and not excessive here.
Assessment
This skill appears coherent and safe for its stated purpose. Before installing, ensure you: (1) provide a Render API key with least privilege necessary (read access for services/env-vars), (2) store RENDER_API_KEY securely in your CI secret store so it is not exposed in logs, and (3) review any custom RENDER_API_BASE_URL you might set. The script does not exfiltrate values to third parties and only calls Render's API, but do not run it on untrusted hosts that have access to your secrets.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binscurl, python3
EnvRENDER_API_KEY
latestvk97etj0whyebtxg1mf0zn8fpbs82ar00
270downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Daniel Lummis@daniellummis
latest
Download

Render Env Guard

Use this skill when a deployment is failing because environment variables are missing, placeholder values leaked from templates, or service selection is ambiguous.

What this skill does

  • Resolves a Render service by ID or name
  • Pulls service environment variables through Render API
  • Validates required keys exist and are non-empty
  • Flags suspicious values (template placeholders, localhost DB URLs, unexpanded ${VAR} refs)
  • Exits non-zero on any blocking issue so CI/deploy scripts can fail fast

When to use

  • Before render deploy / render blueprint updates
  • After onboarding a new environment
  • When runtime is showing config-related 5xx errors

Inputs

  • RENDER_API_KEY (required)
  • one of:
    • RENDER_SERVICE_ID
    • RENDER_SERVICE_NAME
  • optional:
    • RENDER_API_BASE_URL (default https://api.render.com/v1)
    • REQUIRED_ENV_KEYS (comma-separated, default: DATABASE_URL,DIRECT_URL,SHADOW_DATABASE_URL,NEXT_PUBLIC_APP_URL)

Run

bash scripts/check-render-env.sh

or with explicit values:

RENDER_SERVICE_NAME=my-service \
REQUIRED_ENV_KEYS="DATABASE_URL,NEXT_PUBLIC_APP_URL,STRIPE_SECRET_KEY" \
bash scripts/check-render-env.sh

Output contract

  • Prints a short report with PASS/FAIL
  • Returns exit code 0 when all required keys are valid
  • Returns exit code 1 when any key is missing/invalid or service lookup fails

Notes

  • This checker is intentionally strict to prevent bad deploys.
  • It validates values at the service level (what Render will inject at runtime), not local .env files.

Comments

Loading comments...