Env Diff Explainer
v1.0.0比较 dev/staging/prod 配置差异,并把技术差异翻译成业务风险。;use for env, config, diff workflows;do not use for 输出敏感密钥值, 直接覆盖配置.
⭐ 0· 122·0 current·0 all-time
byvx:17605205782@52yuanchangxing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included resources and script. The skill only requires python3 and includes a script (scripts/run.py), spec/template resources, examples, and tests that implement pattern-based auditing and report generation. All requested artifacts are proportionate to a local 'env diff' auditing tool.
Instruction Scope
SKILL.md stays within the stated purpose and explicitly recommends read-only, review-first behavior. The runtime instructions allow running scripts/run.py against a file or directory; the script will recursively read many text file types in the provided path (md, json, yaml, py, sh, etc.). That behavior is expected for an audit tool but means the agent (or an operator running the script) may expose any file content under the target path. The skill warns about not outputting sensitive keys and the script attempts to mask 'secret_like' patterns, but masking is limited (see user guidance).
Install Mechanism
No install spec; only python3 is required and the script uses the Python standard library. Nothing is downloaded or executed from remote URLs; the repository is self-contained. This is a low-risk install posture.
Credentials
The skill requests no environment variables, no credentials, and no config paths. That aligns with a local-only auditing tool. There are no unexpected secret/API requirements.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. It does not modify other skills or system configs. Running the script can write output files if given an --output path, but that is normal and controlled by the operator.
Assessment
This skill appears to do what it says: read local config files or directories and produce a human-reviewable diff/risk report. Before you run it or allow the agent to invoke it, consider: 1) Do not point the skill at your entire filesystem or at directories that contain production secrets (e.g., /, home, repository roots with credentials). The script will recursively read many file types. 2) The script attempts to mask 'secret-like' patterns but only truncates/masks parts of matched tokens (it may still reveal prefix characters), and other sensitive artifacts (URLs, filenames) may appear unmasked. Treat outputs as potentially sensitive. 3) Prefer running in an isolated or sanitized workspace (copy files with secrets redacted or run against sanitized copies). Use --dry-run first and review stdout rather than automatically writing or sharing outputs. 4) Review scripts/run.py yourself if you need higher assurance — it is self-contained and does not perform network calls, but it will read and include snippets from files you point it at. 5) The skill is not requesting credentials or network access; keep credentials out of the input and follow the SKILL.md guidance about not outputting secret values. If you need the skill to run autonomously, restrict its allowed input paths and audit its outputs for leaked data.Like a lobster shell, security has layers — review code before you run it.
latestvk97ah20nr708g12t5khk8g1chn832mec
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🌡️ Clawdis
OSmacOS · Linux · Windows
Binspython3