Env Guard
v1.0.2Scan repos and workspaces for leaked secrets. API keys in code, passwords in configs, tokens in logs. Catches them before they hit git.
⭐ 0· 373·2 current·2 all-time
byShadow Rose@theshadowrose
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (secret scanning) match the included JS implementation: patterns for API keys, tokens, private keys, connection strings, and webhook URLs are present and used to scan files. Features claimed (custom patterns, allowlisting, CI exit codes) are implemented by the EnvGuard class and CLI behavior.
Instruction Scope
SKILL.md and README describe running the scanner locally and CI integration, which matches the code; however, there is a minor mismatch in CLI usage: docs show `node src/env-guard.js scan ./my-project` but the script treats the first CLI argument as the target path (process.argv[2]), so passing a literal 'scan' will cause the tool to scan a directory named 'scan' rather than './my-project'. The SKILL.md does not ask the agent to read unrelated files, env vars, or transmit data, and the code also does not perform external network I/O.
Install Mechanism
No install spec (instruction-only with a packaged JS file). There is no runtime download or external installer; the code is local and uses only Node built-ins (fs, path). This is low risk for installation.
Credentials
The skill requests no environment variables, credentials, or config paths. The patterns intentionally target secret formats; no unexpected or unrelated credentials are requested. Allowlist and pattern APIs are local to the tool.
Persistence & Privilege
The skill is not always-enabled, has no special persistent privileges, and does not modify other skills or system-wide settings. It runs locally and does not store configuration beyond in-memory allowlist/pattern arrays (no files written by default).
Assessment
This package appears to be a straightforward local secret scanner. Before installing: (1) inspect src/env-guard.js (you already have it) and run it on a non-sensitive test directory to confirm behavior; (2) note the CLI mismatch — call it as `node src/env-guard.js <path>` (not necessarily with a 'scan' subcommand) or update the code if you want a subcommand; (3) run it in a sandbox/CI job with least privilege and avoid scanning production secrets live; (4) because it only reads files and prints/redacts matches, it does not exfiltrate data by default, but review any changes you make (e.g., adding telemetry or custom integrations) before running on sensitive repositories; and (5) if you rely on the author/contact links, verify their provenance since the package source is marked 'unknown.'Like a lobster shell, security has layers — review code before you run it.
configvk974bzep3tc3g2x51w9dx97dj582je5genv-guardvk977bsjw5kf23cz51rf7ykffgx82jje5environmentvk974bzep3tc3g2x51w9dx97dj582je5glatestvk974bzep3tc3g2x51w9dx97dj582je5gsecretsvk974bzep3tc3g2x51w9dx97dj582je5gsecurityvk974bzep3tc3g2x51w9dx97dj582je5gvalidationvk974bzep3tc3g2x51w9dx97dj582je5g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.