← Back to Skills Marketplace
FlyAI Env Guardian
by
dingtom336-gif
· GitHub ↗
· v1.0.0
· MIT-0
105
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install flyai-env-guardian
Description
Protect sensitive environment variables from accidental exposure in commits, logs, and CI pipelines with automated scanning and pre-commit validation.
README (SKILL.md)
FlyAI Env Guardian
Automated environment variable protection for development teams. Scans codebases for exposed secrets, validates .env file hygiene, and prevents accidental credential leaks before they reach version control.
When to use
Activate this skill when:
- A developer is about to commit changes that may contain secrets or API keys
- Setting up a new project and need to establish .env security patterns
- Auditing an existing codebase for exposed credentials
- Configuring CI/CD pipelines that handle sensitive environment variables
- Reviewing pull requests for potential secret exposure
Threat Model
High Risk Patterns
| Pattern | Example | Risk Level |
|---|---|---|
| Hardcoded API keys | const KEY = sk-proj-abc123 | Critical |
| Database URLs with passwords | postgres://user:pass@host/db | Critical |
| AWS credentials in code | AWS_SECRET_ACCESS_KEY = ... | Critical |
| JWT secrets | JWT_SECRET = mysecret | High |
| Private keys | BEGIN RSA PRIVATE KEY | Critical |
| OAuth tokens | github_pat_..., ghp_..., gho_... | High |
Medium Risk Patterns
| Pattern | Example | Risk Level |
|---|---|---|
| Internal URLs | http://internal-api.corp:8080 | Medium |
| IP addresses with ports | 192.168.1.100:3306 | Medium |
| Email addresses in config | [email protected] | Low |
Scanning Process
- Pre-commit scan: Check staged files for secret patterns using regex matching
- File extension filter: Focus on source code files (.ts, .js, .py, .go, .rs, .java, .env*)
- Entropy analysis: Flag high-entropy strings (potential random tokens) in non-test files
- Known pattern matching: Check against 40+ known secret formats (AWS, GCP, Azure, Stripe, Twilio, etc.)
- .gitignore validation: Ensure .env files are properly ignored
- History scan: Optional deep scan of git history for previously committed secrets
Remediation Actions
When secrets are found:
Immediate
- Block the commit with a clear error message
- Show exactly which file and line contains the secret
- Suggest moving the value to .env and using process.env
Follow-up
- If a secret was already committed, recommend rotating the credential immediately
- Generate a .env.example file with placeholder values
- Add missing entries to .gitignore
- Set up git-secrets or pre-commit hooks for ongoing protection
Environment File Standards
Required Structure
- .env: Local development values (never committed)
- .env.example: Template with placeholder values (committed)
- .env.test: Test environment values (committed, no real secrets)
- .env.production: Production values (never committed, managed by CI/CD)
Naming Conventions
- Use UPPER_SNAKE_CASE for all variable names
- Prefix with service name: DATABASE_URL, REDIS_HOST, STRIPE_SECRET_KEY
- Document each variable with inline comments
- Group related variables with section headers
CI/CD Integration
GitHub Actions
- Validate that no .env files are included in the build artifact
- Check that all required env vars are set in the workflow
- Scan PR diffs for new secret introductions
Docker
- Never use ENV for secrets in Dockerfiles
- Use Docker secrets or mount .env at runtime
- Scan built images for embedded credentials
Configuration
The skill respects a .envguardian.json config file:
- customPatterns: Additional regex patterns to scan for
- ignoreFiles: Paths to exclude from scanning
- severityThreshold: Minimum severity to report (low, medium, high, critical)
- autoFix: Whether to automatically add .gitignore entries
Usage Guidance
This skill appears to do what it claims: scan repositories for exposed secrets and help set up pre-commit/CI checks. Before enabling it, consider: (1) the skill runs shell-style operations (Bash, Grep, Read) and will need access to your repository files and git history — run it on a safe/test repo first; (2) optional features (history scan, Docker image scanning, workflow validation) require external tools (git, docker, image scanners, git-secrets, etc.); ensure those tools are available and trusted; (3) review any generated pre-commit hooks or auto-fix changes (.gitignore, .env.example) before committing—disable autoFix until you inspect outputs; (4) confirm the agent executing the skill has only the repository-level access you intend (it could read any file the agent can access); and (5) there are no declared network endpoints or credential requests, but if you integrate the recommendations into CI you will need to provision secrets there manually and rotate any exposed credentials immediately.
Capability Analysis
Type: OpenClaw Skill
Name: flyai-env-guardian
Version: 1.0.0
The flyai-env-guardian skill is a security utility designed to scan codebases for exposed secrets and validate environment variable hygiene. The instructions in SKILL.md are strictly defensive, focusing on identifying high-entropy strings and known credential patterns (e.g., AWS keys, JWT secrets) to prevent accidental commits. The allowed tools (Bash, Grep, Read, Glob) are appropriate for its stated purpose, and there is no evidence of data exfiltration, malicious execution, or prompt-injection attacks.
Capability Assessment
Purpose & Capability
The name and description match the SKILL.md content: scanning staged files, checking .env hygiene, recommending pre-commit hooks and CI checks. The skill does not request unrelated credentials or broad system access. One minor mismatch: the documentation references tools/operations (git history scanning, Docker image scanning, git-secrets, GitHub Actions checks) that implicitly require binaries or services (git, docker, image scanners) but the registry entry lists no required binaries; this is plausible for an instruction-only skill but worth noting.
Instruction Scope
The SKILL.md stays within repository and CI/CD hygiene tasks (scanning files, regex/entropy checks, updating .gitignore, generating .env.example, blocking commits). It does not instruct exfiltration or contacting external endpoints. However, several optional actions (deep git-history scans, Docker image scanning, validating workflow secrets) require access to repository history and additional tools; the skill does not declare those dependencies and will rely on the agent environment to provide them. The allowedTools list (Bash, Read, Grep, Glob) implies shell-level file access, which is appropriate but broad — you should review any hooks or auto-fix actions before enabling them.
Install Mechanism
There is no install spec and no code files; it's instruction-only. This minimizes risk from arbitrary downloads or installs.
Credentials
The skill requests no environment variables or credentials. Its recommended actions (e.g., suggesting moving secrets to .env) are consistent with its purpose. There are no surprising secret requests or config path accesses declared.
Persistence & Privilege
always is false and there is no install-time persistence. disable-model-invocation is false (the default) which allows autonomous invocation — expected for skills. There is no indication the skill modifies other skills or system-wide agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install flyai-env-guardian - After installation, invoke the skill by name or use
/flyai-env-guardian - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of flyai-env-guardian.
- Scans codebases and commits for exposed environment variables and secrets.
- Supports pre-commit validation, file extension filters, and entropy analysis for detecting secret patterns.
- Validates .env file hygiene and ensures proper .gitignore configuration.
- Provides developer guidance and remediation actions when secrets are found.
- Integrates with CI/CD pipelines for ongoing protection.
- Allows customization via .envguardian.json config file.
Metadata
Frequently Asked Questions
What is FlyAI Env Guardian?
Protect sensitive environment variables from accidental exposure in commits, logs, and CI pipelines with automated scanning and pre-commit validation. It is an AI Agent Skill for Claude Code / OpenClaw, with 105 downloads so far.
How do I install FlyAI Env Guardian?
Run "/install flyai-env-guardian" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is FlyAI Env Guardian free?
Yes, FlyAI Env Guardian is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does FlyAI Env Guardian support?
FlyAI Env Guardian is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created FlyAI Env Guardian?
It is built and maintained by dingtom336-gif (@dingtom336-gif); the current version is v1.0.0.
More Skills