API credentials hygiene
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only credential hygiene skill is coherent and mostly read-only, but users should redact real secrets and review the example n8n auth setting before copying it.
This skill is safe to use as a planning and documentation aid. Do not paste real API keys, tokens, private keys, or unredacted .env files into the conversation. Treat the included dotenv file as an example only, and review settings such as n8n authentication before applying them to any production environment.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user shares real API keys or tokens instead of redacted examples, those secrets could enter the chat context unnecessarily.
The skill may review credential-related configuration, which is expected for its purpose, and it specifically frames inputs as redacted snippets rather than live secrets.
OPTIONAL: - Current config files/redacted snippets (.env, compose, systemd, n8n creds list).
Provide only redacted configuration snippets and placeholders; rotate any real secret that is accidentally pasted.
A user who copies the template without review could preserve an auth-disabled setting in an environment that relies on that variable.
The example template tells users they may copy it to a .env file and includes a concrete n8n authentication-related setting set to false, which may be inappropriate outside a controlled dev setup.
# Copy to .env (do not commit). Replace values via secret manager or deploy-time injection. ... N8N_BASIC_AUTH_ACTIVE=false
Review all non-placeholder values before use, especially for production; set n8n authentication according to the deployment’s actual access-control model.