ClawHub

Env Setup

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only environment-audit helper whose file access and generated files match its stated purpose, though users should keep real secrets out of outputs.

Install only if you want an agent to audit environment variables in a specific repository. Before running it, confirm that outputs will list variable names and status only, not secret values; review any .env.example, starter .env, or .gitignore edits before accepting them; and treat any git-history cleanup advice as a manual, coordinated maintenance task.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase "environment setup" is broad enough to match many generic user requests, which can cause the skill to activate unexpectedly and perform repository scanning or inspect `.env`-related files without the user intending to invoke this specific behavior. In a skill that enumerates environment variables and validates secret-bearing files, overbroad activation increases the chance of unintended sensitive-data exposure in agent context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends generating a starter `.env` when none exists, but does not warn that this creates a live secrets container rather than a documentation template. That can lead users or agents to populate sensitive values locally in a new file that may later be mishandled, copied, or committed accidentally.

Credential Access

High
Category
Privilege Escalation
Content
- Group by category with comment headers
- Add `🔴 SECRET` warning on sensitive vars

### 5. Validate Current .env

If `.env` exists, compare against discovered variables:
Confidence
91% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
- **Framework-specific env**: Next.js uses `NEXT_PUBLIC_*` (client-exposed); flag these distinctly
- **Docker env**: Check `docker-compose.yml` `environment:` section too
- **Multiple .env files**: `.env.development`, `.env.production`, `.env.test` — validate all
- **No .env exists**: Generate both `.env.example` and a starter `.env`
- **Interpolated vars**: `${VAR:-default}` in shell scripts — extract `VAR`
Confidence
93% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
- **Framework-specific env**: Next.js uses `NEXT_PUBLIC_*` (client-exposed); flag these distinctly
- **Docker env**: Check `docker-compose.yml` `environment:` section too
- **Multiple .env files**: `.env.development`, `.env.production`, `.env.test` — validate all
- **No .env exists**: Generate both `.env.example` and a starter `.env`
- **Interpolated vars**: `${VAR:-default}` in shell scripts — extract `VAR`

## Error Handling
Confidence
96% confidence
Finding
.env

Unsafe Defaults

Medium
Category
Tool Misuse
Content
# ============================================

# --- App Configuration ---
NODE_ENV=development
PORT=3000
LOG_LEVEL=info
Confidence
88% confidence
Finding
NODE_ENV=development

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal