← Back to Skills Marketplace

Env Guard

Name: Env Guard
Author: theshadowrose

by Shadow Rose · GitHub ↗ · v1.0.2 · MIT-0

cross-platform ✓ Security Clean

540

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install env-guard

Description

Scan repos and workspaces for leaked secrets. API keys in code, passwords in configs, tokens in logs. Catches them before they hit git.

README (SKILL.md)

EnvGuard Secret & Credential Scanner

Scan repos and workspaces for leaked secrets. API keys in code, passwords in configs, tokens in logs. Catches them before they hit git.

Find leaked secrets before they reach production.

Quick Scan

node src/env-guard.js scan ./my-project

What It Finds

Secret Type	Pattern
API Keys	`sk-...`, `AKIA...`, `ghp_...`
Passwords	`password=`, `passwd:`
Tokens	`token=`, `bearer ...`
Private Keys	`-----BEGIN RSA PRIVATE KEY-----`
Connection Strings	`mongodb://`, `postgres://`
Webhook URLs	Discord webhooks, Slack webhooks

Features

Custom patterns — add your own secret patterns
Allowlisting — mark false positives to skip
CI integration — exit code 1 for pipeline gates

Output

🔴 SECRETS FOUND — 3 issues

src/config.js:12
  API key detected: sk-proj-...Tm4x (OpenAI)

.env.backup:3
  Database password in committed file

logs/debug.log:445
  Bearer token logged in plaintext

⚠️ Disclaimer

This software is provided "AS IS", without warranty of any kind, express or implied.

USE AT YOUR OWN RISK.

The author(s) are NOT liable for any damages, losses, or consequences arising from the use or misuse of this software — including but not limited to financial loss, data loss, security breaches, business interruption, or any indirect/consequential damages.
This software does NOT constitute financial, legal, trading, or professional advice.
Users are solely responsible for evaluating whether this software is suitable for their use case, environment, and risk tolerance.
No guarantee is made regarding accuracy, reliability, completeness, or fitness for any particular purpose.
The author(s) are not responsible for how third parties use, modify, or distribute this software after purchase.

By downloading, installing, or using this software, you acknowledge that you have read this disclaimer and agree to use the software entirely at your own risk.

DATA DISCLAIMER: This software processes and stores data locally on your system. The author(s) are not responsible for data loss, corruption, or unauthorized access resulting from software bugs, system failures, or user error. Always maintain independent backups of important data. This software does not transmit data externally unless explicitly configured by the user.

Support & Links


🐛 Bug Reports	[email protected]
☕ Ko-fi	ko-fi.com/theshadowrose
🛒 Gumroad	shadowyrose.gumroad.com
🐦 Twitter	@TheShadowyRose
🐙 GitHub	github.com/TheShadowRose
🧠 PromptBase	promptbase.com/profile/shadowrose

Built with OpenClaw — thank you for making this possible.

🛠️ Need something custom? Custom OpenClaw agents & skills starting at $500. If you can describe it, I can build it. → Hire me on Fiverr

Usage Guidance

This package appears to be a straightforward local secret scanner. Before installing: (1) inspect src/env-guard.js (you already have it) and run it on a non-sensitive test directory to confirm behavior; (2) note the CLI mismatch — call it as `node src/env-guard.js <path>` (not necessarily with a 'scan' subcommand) or update the code if you want a subcommand; (3) run it in a sandbox/CI job with least privilege and avoid scanning production secrets live; (4) because it only reads files and prints/redacts matches, it does not exfiltrate data by default, but review any changes you make (e.g., adding telemetry or custom integrations) before running on sensitive repositories; and (5) if you rely on the author/contact links, verify their provenance since the package source is marked 'unknown.'

Capability Analysis

Type: OpenClaw Skill Name: env-guard Version: 1.0.2 The EnvGuard skill is a legitimate local secret scanner designed to identify leaked API keys, passwords, and tokens within a filesystem. The implementation in `src/env-guard.js` uses standard Node.js modules (`fs`, `path`) to recursively scan files against a set of regex patterns, and it includes a redaction mechanism to prevent full secrets from being displayed in logs. There is no evidence of data exfiltration, network activity, or malicious instructions in `SKILL.md` or the source code.

Capability Assessment

✓ Purpose & Capability

The name/description (secret scanning) match the included JS implementation: patterns for API keys, tokens, private keys, connection strings, and webhook URLs are present and used to scan files. Features claimed (custom patterns, allowlisting, CI exit codes) are implemented by the EnvGuard class and CLI behavior.

ℹ Instruction Scope

SKILL.md and README describe running the scanner locally and CI integration, which matches the code; however, there is a minor mismatch in CLI usage: docs show `node src/env-guard.js scan ./my-project` but the script treats the first CLI argument as the target path (process.argv[2]), so passing a literal 'scan' will cause the tool to scan a directory named 'scan' rather than './my-project'. The SKILL.md does not ask the agent to read unrelated files, env vars, or transmit data, and the code also does not perform external network I/O.

✓ Install Mechanism

No install spec (instruction-only with a packaged JS file). There is no runtime download or external installer; the code is local and uses only Node built-ins (fs, path). This is low risk for installation.

✓ Credentials

The skill requests no environment variables, credentials, or config paths. The patterns intentionally target secret formats; no unexpected or unrelated credentials are requested. Allowlist and pattern APIs are local to the tool.

✓ Persistence & Privilege

The skill is not always-enabled, has no special persistent privileges, and does not modify other skills or system-wide settings. It runs locally and does not store configuration beyond in-memory allowlist/pattern arrays (no files written by default).

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install env-guard
After installation, invoke the skill by name or use /env-guard
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.2

env-guard 1.0.2 - Updated SKILL.md to reflect new version number. - No functional or code changes; documentation version bump only.

v1.0.1

- Updated documentation in SKILL.md for version 1.0.1. - Changed recommended scan command to use node src/env-guard.js instead of node env-guard.js. - Removed mentions of pre-commit hook and full repo scan features from documentation. - Updated features list to focus on custom patterns, allowlisting, and CI integration.

v1.0.0

Initial upload

Metadata

Slug env-guard

Version 1.0.2

License MIT-0

All-time Installs 2

Active Installs 2

Total Versions 3

Frequently Asked Questions

What is Env Guard?

Scan repos and workspaces for leaked secrets. API keys in code, passwords in configs, tokens in logs. Catches them before they hit git. It is an AI Agent Skill for Claude Code / OpenClaw, with 540 downloads so far.

How do I install Env Guard?

Run "/install env-guard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Env Guard free?

Yes, Env Guard is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Env Guard support?

Env Guard is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Env Guard?

It is built and maintained by Shadow Rose (@theshadowrose); the current version is v1.0.2.

More Skills