Env Guard
ReviewAudited by ClawScan on May 10, 2026.
Overview
Env Guard is mostly a local-only secret scanner, but its documented scan command is inconsistent with the code and can falsely report that nothing was found.
Review before installing. If you use it, do not rely on the documented `node src/env-guard.js scan ./my-project` command unless the CLI is fixed; verify it scans the intended path and fails on missing paths. Keep scan results local because programmatic output may include sensitive line content.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or CI pipeline following the documented command may believe a repository has no secrets even though it was not actually scanned.
SKILL.md documents `node src/env-guard.js scan ./my-project`, but the implementation treats `scan` as the target path and silently returns on unreadable or missing paths. This can produce a clean report without scanning the intended project.
const target = process.argv[2] || '.'; ... catch { return; }Fix the CLI to parse the `scan` subcommand or update the docs to pass the path directly, and fail loudly when the target path does not exist or cannot be read.
Secrets found during scanning could enter an agent context, logs, or another integration if the report object is captured rather than only the redacted console output.
The CLI prints the redacted `snippet`, but the returned report object also contains a raw prefix of the matched line, which may include secret material if used programmatically.
snippet: this._redact(match[0]), raw: line.trim().substring(0, 120)
Remove or redact the `raw` field by default, or clearly document that programmatic results may contain sensitive line content.
Running it at a home directory, root directory, or overly broad workspace may read more local files than intended.
The tool recursively reads files under the selected target path. This is purpose-aligned for a local secret scanner, but it can cover many private files if invoked on a broad directory.
this._scanDir(path.resolve(targetPath)); ... fs.readFileSync(filePath, 'utf8')
Run scans only on the specific repository or workspace you intend to check.
Users have less external provenance information to verify the publisher or project history.
The package has limited provenance metadata, although the full reviewed code is included and no external dependencies or remote install scripts are shown.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Inspect the bundled source before use and prefer a version with a verifiable repository or homepage if provenance is important.