Env Health Check
PassAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated environment-health purpose and shows no network or hidden behavior, but it will check selected environment variables and write temporary/report files locally.
This appears safe for a local deployment-readiness check. Before running it, choose only the env var names and directories you want included in the report, and set --out to a file path that is okay to create or overwrite.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the check may create/delete a temporary file in selected directories and create or overwrite the chosen report file. This is expected for the purpose, but it still touches local paths.
The script tests write permissions by creating and removing a fixed-named temp file in each supplied directory, then writes a report to the chosen output path.
const test=path.join(abs,'.env-health-check.tmp'); fs.writeFileSync(test,'ok','utf8'); fs.unlinkSync(test); ... fs.writeFileSync(path.resolve(out),lines.join('\n'),'utf8');Run it only against directories you intend to test, choose an output path safe to overwrite, and avoid directories that already contain .env-health-check.tmp.
The report can reveal which environment variables exist, including credential variable names if the user asks it to check API keys, but the artifact does not show secret values being printed or transmitted.
The script reads whether each named environment variable is set. It reports the variable name and OK/WARN status, not the secret value itself.
for(const name of envs){findings.push({type:'env',name,status:process.env[name]?'OK':'WARN'});}Pass only environment variable names you are comfortable including in a local report, and keep the report private if those names or paths are sensitive.