ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

envguard

v1.0.1

Pre-commit secret detection — block leaked credentials, API keys, and .env files before they hit git

0· 75·0 current·0 all-time
by@suhteevah

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for suhteevah/envguard.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "envguard" (suhteevah/envguard) from ClawHub.
Skill page: https://clawhub.ai/suhteevah/envguard
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: git, bash, python3, jq
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install envguard

ClawHub CLI

Package manager switcher

npx clawhub@latest install envguard
Security Scan
Capability signals
CryptoRequires walletRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a local secret scanner / git hook integrator. Required binaries (git, bash, python3, jq) and the brew install of lefthook are appropriate for installing and running pre-commit hooks and performing local file scans. The declared primary credential (ENVGUARD_LICENSE_KEY) matches the SKILL.md which gates Pro/Team features.
Instruction Scope
Runtime instructions and scripts only operate locally: scanning files, reading .envguardignore, managing allowlist entries in ~/.openclaw/openclaw.json, installing a lefthook config into the repo, and scanning staged files via sourced scripts. These behaviors match the described purpose, but the skill will write/append to repo lefthook.yml and read/write your ~/.openclaw/openclaw.json for allowlist/license settings—users should expect those filesystem changes.
Install Mechanism
Install uses a well-known package manager entry (brew formula: lefthook). The skill bundle includes all scripts/patterns locally (no arbitrary remote downloads or extract-from-unknown-URLs), so installation risk is limited to installing lefthook and placing the skill files (normal for a ClawHub skill).
Credentials
ENVGUARD_LICENSE_KEY is the only declared required credential and is justified by the license-gated features. The code optionally references CLAWHUB_JWT_SECRET for offline JWT verification (used only if present) but that env var is not declared in requires.env; it is optional and only used to verify license tokens locally. The skill reads/writes ~/.openclaw/openclaw.json (declared in SKILL.md), which is proportionate but means CI/automation keys stored there could be read by the skill.
Persistence & Privilege
always:false and normal autonomous invocation settings are used. The skill writes its own config (allowlist) into ~/.openclaw/openclaw.json and can append/configure lefthook in a repository (expected behavior for a git hook tool). It does not request elevated or cross-skill privileges.
Assessment
This package appears to do what it says: local regex-based scanning and optional pre-commit hook installation. Before installing: (1) confirm you want lefthook added to your repo (envguard hooks install will modify/append lefthook.yml and install a pre-commit hook that can block commits), (2) know that allowlist and license values are stored/managed in ~/.openclaw/openclaw.json (the skill will read/write that file), (3) Pro/Team commands require ENVGUARD_LICENSE_KEY (and the code can optionally use CLAWHUB_JWT_SECRET to verify license signatures if you set it), and (4) if you want to audit behavior, review the included scripts (scripts/*.sh) since scanning is implemented in plain shell and runs locally with no external network calls. If you do not want local config changes or repo hook modifications, avoid running the hooks install command.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔐 Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envENVGUARD_LICENSE_KEY

Install

Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook
latestvk97e7rxey0d3qvghfgysv7tzk184taay
75downloads
0stars
2versions
Updated 1w ago
v1.0.1
MIT-0
macOS, Linux, Windows
@suhteevah
latest
Download

EnvGuard — Pre-Commit Secret Detection

EnvGuard scans your code for leaked secrets, credentials, API keys, and .env file contents before they reach git. It uses regex-based pattern matching against 50+ secret formats from 20+ services, lefthook for git hook integration, and produces SARIF-compatible reports for compliance workflows.

Commands

Free Tier (No license required)

envguard scan [file|directory]

One-shot secret scan of files or directories.

How to execute:

bash "<SKILL_DIR>/scripts/envguard.sh" scan [target]

What it does:

  1. Accepts a file path or directory (defaults to current directory)
  2. Finds all text files (excluding .git/, node_modules/, dist/, build/, vendor/, pycache)
  3. Runs 50+ secret detection patterns against each file
  4. Respects .envguardignore exclusions (gitignore syntax)
  5. Outputs findings with: file, line number, pattern matched, severity, redacted match
  6. Exit code 0 if clean, exit code 1 if critical/high findings detected

Example usage scenarios:

  • "Scan this repo for leaked secrets" -> runs envguard scan .
  • "Check this file for API keys" -> runs envguard scan src/config.ts
  • "Are there any secrets in my source code?" -> runs envguard scan src/

Pro Tier ($19/user/month -- requires ENVGUARD_LICENSE_KEY)

envguard hooks install

Install git pre-commit hooks that scan staged files for secrets before every commit.

How to execute:

bash "<SKILL_DIR>/scripts/envguard.sh" hooks install

What it does:

  1. Validates Pro+ license
  2. Copies lefthook config to project root
  3. Installs lefthook pre-commit hook
  4. On every commit: scans all staged files for secrets, blocks commit if secrets found, shows remediation advice

envguard hooks uninstall

Remove EnvGuard git hooks.

bash "<SKILL_DIR>/scripts/envguard.sh" hooks uninstall

envguard allowlist [add|remove|list] [pattern]

Manage false positive patterns. Allowlisted patterns are skipped during scanning.

bash "<SKILL_DIR>/scripts/envguard.sh" allowlist add "EXAMPLE_API_KEY_FOR_TESTS"
bash "<SKILL_DIR>/scripts/envguard.sh" allowlist remove "EXAMPLE_API_KEY_FOR_TESTS"
bash "<SKILL_DIR>/scripts/envguard.sh" allowlist list

What it does:

  1. Validates Pro+ license
  2. Reads/writes allowlist in ~/.openclaw/openclaw.json (envguard.config.allowlist)
  3. Allowlisted patterns are treated as known-safe and skipped during scans

envguard diff

Scan only staged changes (git diff --cached) for secrets.

bash "<SKILL_DIR>/scripts/envguard.sh" diff

What it does:

  1. Validates Pro+ license
  2. Gets staged changes via git diff --cached
  3. Scans only added/modified lines for secrets
  4. Ideal for pre-commit checks on large repos

Team Tier ($39/user/month -- requires ENVGUARD_LICENSE_KEY with team tier)

envguard history [directory]

Full git history scan -- finds secrets in all previous commits.

bash "<SKILL_DIR>/scripts/envguard.sh" history [directory]

What it does:

  1. Validates Team+ license
  2. Walks entire git log using git log -p
  3. Scans every diff for secrets across all commits
  4. Reports: commit hash, author, date, file, line, pattern matched
  5. Critical for onboarding repos that may have had secrets committed in the past

envguard report [directory]

Generate a SARIF-compatible or markdown compliance report.

bash "<SKILL_DIR>/scripts/envguard.sh" report [directory]

What it does:

  1. Validates Team+ license
  2. Runs full scan of the directory
  3. Generates a formatted markdown report with severity breakdown
  4. Includes remediation steps for each finding category
  5. Output suitable for compliance audits and security reviews

envguard policy [directory]

Custom secret patterns and enforcement rules.

bash "<SKILL_DIR>/scripts/envguard.sh" policy [directory]

What it does:

  1. Validates Team+ license
  2. Loads custom patterns from ~/.openclaw/openclaw.json (envguard.config.customPatterns)
  3. Enforces organization-specific secret rules (e.g., internal token formats)
  4. Combines custom patterns with built-in patterns for comprehensive scanning

Detected Secret Types

EnvGuard detects 50+ secret patterns across 20+ services:

CategoryExamplesSeverity
AWS CredentialsAKIA* keys, aws_secret_access_keyCritical
Stripe Keyssk_live_, sk_test_, rk_live_, whsec_Critical
GitHub Tokensghp_, gho_, ghu_, ghs_, ghr_*Critical
GitLab Tokensglpat-*Critical
Private KeysRSA, OPENSSH, DSA, EC, PGP private keysCritical
Slack Tokensxoxb-, xoxp-, xoxo-, xapp-High
Google API KeysAIza*High
JWT TokenseyJ* (long base64 tokens)High
Database URIspostgres://, mysql://, mongodb://, redis://High
Twilio KeysSK* account SIDsHigh
SendGrid KeysSG.*High
Firebase/SupabaseAPI keys and service tokensHigh
npm Tokensnpm_*High
Heroku API KeysHeroku token patternsMedium
DigitalOceandop_v1_, doo_v1_Medium
Azure KeysAzure subscription/account keysMedium
CloudflareAPI tokens and keysMedium
Docker HubDocker auth tokensMedium
Mailgun/PostmarkAPI keysMedium
Generic Secretsapi_key=, password=, secret=, token=Low
.env LeaksKEY=value patterns in source filesLow

Configuration

Users can configure EnvGuard in ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "envguard": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY_HERE",
        "config": {
          "severityThreshold": "high",
          "allowlist": [],
          "customPatterns": [],
          "excludePatterns": ["**/node_modules/**", "**/dist/**", "**/.git/**"],
          "reportFormat": "markdown"
        }
      }
    }
  }
}

Important Notes

  • Free tier works immediately with no configuration
  • All scanning happens locally -- no code or secrets are sent to external servers
  • License validation is offline -- no phone-home or network calls
  • Supports .envguardignore files (gitignore syntax) to exclude paths
  • Matches are always redacted in output (first/last 4 chars only)
  • Git hooks use lefthook which must be installed (see install metadata above)
  • Exit codes: 0 = clean, 1 = findings detected (for CI/CD integration)

Error Handling

  • If lefthook is not installed and user tries hooks install, prompt to install it
  • If license key is invalid or expired, show clear message with link to https://envguard.pages.dev/renew
  • If a file is binary, skip it automatically with no warning
  • If .envguardignore is malformed, warn and continue with default excludes
  • If no files found in target, report clean scan with info message

When to Use EnvGuard

The user might say things like:

  • "Scan for leaked secrets"
  • "Check if any API keys are in my code"
  • "Set up secret scanning on my commits"
  • "Are there any credentials in this repo?"
  • "Generate a security report for compliance"
  • "Scan git history for leaked passwords"
  • "Block secrets from being committed"
  • "Check my staged files for secrets"
  • "Add a false positive to the allowlist"

Comments

Loading comments...