Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Environment Secrets Rotator
v1.0.0Rotate and update secrets in environment files, generate Vault commands, and manage secret rotation workflows.
⭐ 0· 165·0 current·0 all-time
byDerick@derick001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with code and instructions: the script rotates keys in .env files, generates Vault CLI commands, supports algorithms, backups, dry-run, validation and batch operations. No unrelated network or cloud credentials are requested.
Instruction Scope
SKILL.md instructs only local .env manipulation and Vault command generation, which matches most of the code; however the runtime instructions do not clearly call out that rotations will be recorded persistently to a history file in the user's home directory. The code calls self._record_history(...) on every non-dry-run rotation, which could store sensitive values unless explicitly disabled — this is broader persistence than the SKILL.md emphasizes.
Install Mechanism
No install script or network downloads are used; the skill is instruction-only with an included Python script that requires only python3 and standard library modules. Nothing in the install surface is surprising.
Credentials
The skill requests no environment variables or external credentials (proportional), but it writes a history file to the user's home (~/.env-rotation-history.json) and creates backups next to edited files. Persisting plaintext rotated secrets in the home directory/backups is a sensitive capability not adequately highlighted in the description; this raises privacy risk if left enabled by default.
Persistence & Privilege
The skill creates backups in the target directory and a history file in the user's home directory. Although it does not modify other skills or system-wide settings, the persistent storage of secret values (and the location in the home directory) is an elevated persistence footprint that should be disclosed and controllable.
What to consider before installing
This skill appears to perform local .env secret rotation as advertised, but it will create backups and — importantly — record rotation history in a file under your home directory (~/.env-rotation-history.json). That history may contain plaintext secret values and appears to be recorded on every non-dry-run rotation. Before installing or running on production secrets: (1) review the script's _record_history implementation and confirm whether and how secrets are stored; (2) run with --dry-run and test files first; (3) if you must use it, restrict the history file and backups to tight permissions (e.g., chmod 600) or disable history if possible; (4) prefer using a real secrets manager for production rotations; (5) if you need assurance the history is not stored, search the code for any calls that write to ~/.env-rotation-history.json or similar and remove or modify them. I have medium confidence because part of the source was truncated (so I could not fully inspect the history-writing routine), but the visible code calls _record_history unguarded, which is why this is suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk97dxyz340tw8hx59ex1z8zqmn82v28b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3