ClawHub

FlyAI Env Guardian

v1.0.0

Protect sensitive environment variables from accidental exposure in commits, logs, and CI pipelines with automated scanning and pre-commit validation.

0· 98·0 current·0 all-time
by@dingtom336-gif

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for dingtom336-gif/flyai-env-guardian.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "FlyAI Env Guardian" (dingtom336-gif/flyai-env-guardian) from ClawHub.
Skill page: https://clawhub.ai/dingtom336-gif/flyai-env-guardian
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install flyai-env-guardian

ClawHub CLI

Package manager switcher

npx clawhub@latest install flyai-env-guardian
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description match the SKILL.md content: scanning staged files, checking .env hygiene, recommending pre-commit hooks and CI checks. The skill does not request unrelated credentials or broad system access. One minor mismatch: the documentation references tools/operations (git history scanning, Docker image scanning, git-secrets, GitHub Actions checks) that implicitly require binaries or services (git, docker, image scanners) but the registry entry lists no required binaries; this is plausible for an instruction-only skill but worth noting.
Instruction Scope
The SKILL.md stays within repository and CI/CD hygiene tasks (scanning files, regex/entropy checks, updating .gitignore, generating .env.example, blocking commits). It does not instruct exfiltration or contacting external endpoints. However, several optional actions (deep git-history scans, Docker image scanning, validating workflow secrets) require access to repository history and additional tools; the skill does not declare those dependencies and will rely on the agent environment to provide them. The allowedTools list (Bash, Read, Grep, Glob) implies shell-level file access, which is appropriate but broad — you should review any hooks or auto-fix actions before enabling them.
Install Mechanism
There is no install spec and no code files; it's instruction-only. This minimizes risk from arbitrary downloads or installs.
Credentials
The skill requests no environment variables or credentials. Its recommended actions (e.g., suggesting moving secrets to .env) are consistent with its purpose. There are no surprising secret requests or config path accesses declared.
Persistence & Privilege
always is false and there is no install-time persistence. disable-model-invocation is false (the default) which allows autonomous invocation — expected for skills. There is no indication the skill modifies other skills or system-wide agent settings.
Assessment
This skill appears to do what it claims: scan repositories for exposed secrets and help set up pre-commit/CI checks. Before enabling it, consider: (1) the skill runs shell-style operations (Bash, Grep, Read) and will need access to your repository files and git history — run it on a safe/test repo first; (2) optional features (history scan, Docker image scanning, workflow validation) require external tools (git, docker, image scanners, git-secrets, etc.); ensure those tools are available and trusted; (3) review any generated pre-commit hooks or auto-fix changes (.gitignore, .env.example) before committing—disable autoFix until you inspect outputs; (4) confirm the agent executing the skill has only the repository-level access you intend (it could read any file the agent can access); and (5) there are no declared network endpoints or credential requests, but if you integrate the recommendations into CI you will need to provision secrets there manually and rotate any exposed credentials immediately.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d19xkdge3813jw4gpx2bnzx83yg57
98downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@dingtom336-gif
latest
Download

FlyAI Env Guardian

Automated environment variable protection for development teams. Scans codebases for exposed secrets, validates .env file hygiene, and prevents accidental credential leaks before they reach version control.

When to use

Activate this skill when:

  • A developer is about to commit changes that may contain secrets or API keys
  • Setting up a new project and need to establish .env security patterns
  • Auditing an existing codebase for exposed credentials
  • Configuring CI/CD pipelines that handle sensitive environment variables
  • Reviewing pull requests for potential secret exposure

Threat Model

High Risk Patterns

PatternExampleRisk Level
Hardcoded API keysconst KEY = sk-proj-abc123Critical
Database URLs with passwordspostgres://user:pass@host/dbCritical
AWS credentials in codeAWS_SECRET_ACCESS_KEY = ...Critical
JWT secretsJWT_SECRET = mysecretHigh
Private keysBEGIN RSA PRIVATE KEYCritical
OAuth tokensgithub_pat_..., ghp_..., gho_...High

Medium Risk Patterns

PatternExampleRisk Level
Internal URLshttp://internal-api.corp:8080Medium
IP addresses with ports192.168.1.100:3306Medium
Email addresses in configadmin@company.comLow

Scanning Process

  1. Pre-commit scan: Check staged files for secret patterns using regex matching
  2. File extension filter: Focus on source code files (.ts, .js, .py, .go, .rs, .java, .env*)
  3. Entropy analysis: Flag high-entropy strings (potential random tokens) in non-test files
  4. Known pattern matching: Check against 40+ known secret formats (AWS, GCP, Azure, Stripe, Twilio, etc.)
  5. .gitignore validation: Ensure .env files are properly ignored
  6. History scan: Optional deep scan of git history for previously committed secrets

Remediation Actions

When secrets are found:

Immediate

  • Block the commit with a clear error message
  • Show exactly which file and line contains the secret
  • Suggest moving the value to .env and using process.env

Follow-up

  • If a secret was already committed, recommend rotating the credential immediately
  • Generate a .env.example file with placeholder values
  • Add missing entries to .gitignore
  • Set up git-secrets or pre-commit hooks for ongoing protection

Environment File Standards

Required Structure

  • .env: Local development values (never committed)
  • .env.example: Template with placeholder values (committed)
  • .env.test: Test environment values (committed, no real secrets)
  • .env.production: Production values (never committed, managed by CI/CD)

Naming Conventions

  • Use UPPER_SNAKE_CASE for all variable names
  • Prefix with service name: DATABASE_URL, REDIS_HOST, STRIPE_SECRET_KEY
  • Document each variable with inline comments
  • Group related variables with section headers

CI/CD Integration

GitHub Actions

  • Validate that no .env files are included in the build artifact
  • Check that all required env vars are set in the workflow
  • Scan PR diffs for new secret introductions

Docker

  • Never use ENV for secrets in Dockerfiles
  • Use Docker secrets or mount .env at runtime
  • Scan built images for embedded credentials

Configuration

The skill respects a .envguardian.json config file:

  • customPatterns: Additional regex patterns to scan for
  • ignoreFiles: Paths to exclude from scanning
  • severityThreshold: Minimum severity to report (low, medium, high, critical)
  • autoFix: Whether to automatically add .gitignore entries

Comments

Loading comments...