dotenv — Node.js Environment Variable Loader
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: dotenv Version: 1.0.0 The bundle provides standard documentation and usage instructions for the 'dotenv' and 'dotenvx' Node.js libraries. It includes security best practices such as using .gitignore for sensitive files and explains how to use encryption for environment variables. While SKILL.md mentions a 'curl | sh' installation method for dotenvx, this is the official installation path for the tool and aligns with its legitimate purpose. No evidence of malicious intent, data exfiltration, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent copying this example could accidentally reveal an API key.
The basic usage example prints a sensitive API key value, which could expose credentials in terminal output, logs, shared screenshots, or CI logs.
console.log(process.env.OPENAI_API_KEY)
Do not print secret values. Demonstrate presence checks or redacted output instead, such as logging only whether a variable is set.
Database URLs, API keys, private keys, or other secrets could be bundled into public JavaScript.
The Webpack example takes every parsed .env variable and defines it for the bundle, which can expose secrets to client-side code if used in a browser build.
const env = dotenv.config().parsed
const envKeys = Object.keys(env).reduce((prev, key) => {
prev[`process.env.${key}`] = JSON.stringify(env[key])Only expose explicitly allowlisted, non-sensitive client variables, and warn users not to inject an entire .env file into browser bundles.
Running dotenvx with an untrusted .env file could execute unexpected local commands.
The documented dotenvx command-substitution feature can execute shell commands embedded in environment files when dotenvx runs.
### Command Substitution ```ini DATABASE_URL="postgres://$(whoami)@localhost/mydb" ``` ```bash dotenvx run -- node index.js ```
Treat .env files used with dotenvx command substitution as trusted code, and avoid this feature for files from untrusted sources.
A user who runs this command is trusting the remote installer and network path at install time.
The optional dotenvx installation instructions include downloading and executing a remote shell script.
curl -fsS https://dotenvx.sh/ | sh
Prefer package-manager installs where possible, verify the source, and inspect remote install scripts before running them.