Environment Secrets Rotator
ReviewAudited by ClawScan on May 18, 2026.
Overview
The skill mostly matches its secret-rotation purpose, but it appears to save generated secrets to a persistent history file automatically, which needs review before use.
Review the full script, especially history handling, before installing. If you use it, start with --dry-run, rotate only explicitly selected files and keys, avoid production secrets until you understand where outputs, backups, and history are stored, and delete any plaintext history or backup files you do not need.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken broad rotation could invalidate application credentials or break services, although the skill includes dry-run and backup options.
The tool can rotate every parsed key in a selected .env file and then write replacements back to disk. That matches the skill purpose, but it is a high-impact operation if run on the wrong file or in production.
if keys == ["*"]: keys_to_rotate = list(current_values.keys()) ... EnvFileParser.write_file(target_file, new_values, original_lines)
Use --dry-run first, specify exact files and keys where possible, and require explicit user approval before any non-dry-run rotation on production or shared configuration files.
New secrets may be visible in logs or conversation history after rotation.
The skill intentionally prints newly generated secret values and Vault command strings containing those values. This is disclosed and purpose-aligned, but it exposes credential material to terminal, agent, or chat logs.
No encryption - Generated secrets are shown in plaintext in output
Run it in a controlled session, avoid sharing outputs, and rotate again if generated values are exposed in logs or transcripts.
Newly rotated secrets may remain stored in a local history file after the task, increasing the chance that live credentials are later exposed or reused unintentionally.
The visible code creates a persistent home-directory history file and passes the generated new secret values into a history recorder for every non-dry-run rotation. SKILL.md says history tracking is optional and requires enabling, but the visible rotate flow does not show an opt-in or redaction control.
self.history_file = Path.home() / ".env-rotation-history.json" ... if not dry_run: self._record_history(filepath, keys_to_rotate, new_values)
Make history recording explicit opt-in, redact or avoid storing secret values, document the file location and retention behavior, and provide a safe cleanup command. Users should inspect or remove ~/.env-rotation-history.json if they test the skill.