ClawHub
Back to skill
v1.0.0

Env Setup

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:43 AM.

Analysis

This instruction-only skill is purpose-aligned, but it will inspect local environment files and may suggest project file or git-history changes that users should review.

GuidanceThis skill appears safe for its stated purpose. Use it in the target repository only, review any generated .env.example, starter .env, or .gitignore edits before applying them, and make sure reports do not print real secret values from .env files.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
grep -rn "process\.env\.\w\+" ... . | grep -v node_modules | grep -v dist

The skill instructs recursive local searches through the codebase, which is expected for environment-variable discovery but should remain limited to the intended project.

User impactThe agent may read project files while searching for environment-variable references.
RecommendationRun it only in the intended repository and review the commands or results if the project contains private code or sensitive configuration.
Cascading Failures
SeverityLowConfidenceHighStatusNote
SKILL.md
If found, warn the user that secrets may be in git history and suggest `git filter-branch` or `BFG Repo-Cleaner`.

Rewriting git history can affect collaborators and shared repositories; the artifact only suggests these tools as remediation, which is appropriate but worth user review.

User impactIf the user follows remediation advice without planning, repository history or team workflows could be disrupted.
RecommendationBefore using history-rewriting tools, rotate exposed secrets, back up the repository, and coordinate with collaborators.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
If `.env` exists, compare against discovered variables

.env files often contain API keys, tokens, passwords, and other secrets; the skill's examples report variable names rather than values, making this purpose-aligned but sensitive.

User impactThe agent may inspect files that contain secret values, even if the intended report only lists variable names and missing or unused entries.
RecommendationEnsure outputs do not include secret values, and avoid granting elevated access unless you are certain the repository and agent session are trusted.