dotenv — Node.js Environment Variable Loader
SuspiciousAudited by ClawScan on May 13, 2026.
Overview
This is mostly a dotenv reference skill, but it includes examples that could leak API keys or environment secrets if followed directly.
Review this skill carefully before using it for real secrets. Avoid copying examples that print API keys or bundle all environment variables into client-side code, treat dotenvx .env files as trusted when command substitution is enabled, and inspect any remote installer before running it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent copying this example could accidentally reveal an API key.
The basic usage example prints a sensitive API key value, which could expose credentials in terminal output, logs, shared screenshots, or CI logs.
console.log(process.env.OPENAI_API_KEY)
Do not print secret values. Demonstrate presence checks or redacted output instead, such as logging only whether a variable is set.
Database URLs, API keys, private keys, or other secrets could be bundled into public JavaScript.
The Webpack example takes every parsed .env variable and defines it for the bundle, which can expose secrets to client-side code if used in a browser build.
const env = dotenv.config().parsed
const envKeys = Object.keys(env).reduce((prev, key) => {
prev[`process.env.${key}`] = JSON.stringify(env[key])Only expose explicitly allowlisted, non-sensitive client variables, and warn users not to inject an entire .env file into browser bundles.
Running dotenvx with an untrusted .env file could execute unexpected local commands.
The documented dotenvx command-substitution feature can execute shell commands embedded in environment files when dotenvx runs.
### Command Substitution ```ini DATABASE_URL="postgres://$(whoami)@localhost/mydb" ``` ```bash dotenvx run -- node index.js ```
Treat .env files used with dotenvx command substitution as trusted code, and avoid this feature for files from untrusted sources.
A user who runs this command is trusting the remote installer and network path at install time.
The optional dotenvx installation instructions include downloading and executing a remote shell script.
curl -fsS https://dotenvx.sh/ | sh
Prefer package-manager installs where possible, verify the source, and inspect remote install scripts before running them.