← 返回 Skills 市场

Env Guard

Name: Env Guard
Author: theshadowrose

作者 Shadow Rose · GitHub ↗ · v1.0.2 · MIT-0

cross-platform ✓ 安全检测通过

540

总下载

当前安装

版本数

在 OpenClaw 中安装

/install env-guard

功能描述

Scan repos and workspaces for leaked secrets. API keys in code, passwords in configs, tokens in logs. Catches them before they hit git.

使用说明 (SKILL.md)

EnvGuard Secret & Credential Scanner

Scan repos and workspaces for leaked secrets. API keys in code, passwords in configs, tokens in logs. Catches them before they hit git.

Find leaked secrets before they reach production.

Quick Scan

node src/env-guard.js scan ./my-project

What It Finds

Secret Type	Pattern
API Keys	`sk-...`, `AKIA...`, `ghp_...`
Passwords	`password=`, `passwd:`
Tokens	`token=`, `bearer ...`
Private Keys	`-----BEGIN RSA PRIVATE KEY-----`
Connection Strings	`mongodb://`, `postgres://`
Webhook URLs	Discord webhooks, Slack webhooks

Features

Custom patterns — add your own secret patterns
Allowlisting — mark false positives to skip
CI integration — exit code 1 for pipeline gates

Output

🔴 SECRETS FOUND — 3 issues

src/config.js:12
  API key detected: sk-proj-...Tm4x (OpenAI)

.env.backup:3
  Database password in committed file

logs/debug.log:445
  Bearer token logged in plaintext

⚠️ Disclaimer

This software is provided "AS IS", without warranty of any kind, express or implied.

USE AT YOUR OWN RISK.

The author(s) are NOT liable for any damages, losses, or consequences arising from the use or misuse of this software — including but not limited to financial loss, data loss, security breaches, business interruption, or any indirect/consequential damages.
This software does NOT constitute financial, legal, trading, or professional advice.
Users are solely responsible for evaluating whether this software is suitable for their use case, environment, and risk tolerance.
No guarantee is made regarding accuracy, reliability, completeness, or fitness for any particular purpose.
The author(s) are not responsible for how third parties use, modify, or distribute this software after purchase.

By downloading, installing, or using this software, you acknowledge that you have read this disclaimer and agree to use the software entirely at your own risk.

DATA DISCLAIMER: This software processes and stores data locally on your system. The author(s) are not responsible for data loss, corruption, or unauthorized access resulting from software bugs, system failures, or user error. Always maintain independent backups of important data. This software does not transmit data externally unless explicitly configured by the user.

Support & Links


🐛 Bug Reports	[email protected]
☕ Ko-fi	ko-fi.com/theshadowrose
🛒 Gumroad	shadowyrose.gumroad.com
🐦 Twitter	@TheShadowyRose
🐙 GitHub	github.com/TheShadowRose
🧠 PromptBase	promptbase.com/profile/shadowrose

Built with OpenClaw — thank you for making this possible.

🛠️ Need something custom? Custom OpenClaw agents & skills starting at $500. If you can describe it, I can build it. → Hire me on Fiverr

安全使用建议

This package appears to be a straightforward local secret scanner. Before installing: (1) inspect src/env-guard.js (you already have it) and run it on a non-sensitive test directory to confirm behavior; (2) note the CLI mismatch — call it as `node src/env-guard.js <path>` (not necessarily with a 'scan' subcommand) or update the code if you want a subcommand; (3) run it in a sandbox/CI job with least privilege and avoid scanning production secrets live; (4) because it only reads files and prints/redacts matches, it does not exfiltrate data by default, but review any changes you make (e.g., adding telemetry or custom integrations) before running on sensitive repositories; and (5) if you rely on the author/contact links, verify their provenance since the package source is marked 'unknown.'

功能分析

Type: OpenClaw Skill Name: env-guard Version: 1.0.2 The EnvGuard skill is a legitimate local secret scanner designed to identify leaked API keys, passwords, and tokens within a filesystem. The implementation in `src/env-guard.js` uses standard Node.js modules (`fs`, `path`) to recursively scan files against a set of regex patterns, and it includes a redaction mechanism to prevent full secrets from being displayed in logs. There is no evidence of data exfiltration, network activity, or malicious instructions in `SKILL.md` or the source code.

能力评估

✓ Purpose & Capability

The name/description (secret scanning) match the included JS implementation: patterns for API keys, tokens, private keys, connection strings, and webhook URLs are present and used to scan files. Features claimed (custom patterns, allowlisting, CI exit codes) are implemented by the EnvGuard class and CLI behavior.

ℹ Instruction Scope

SKILL.md and README describe running the scanner locally and CI integration, which matches the code; however, there is a minor mismatch in CLI usage: docs show `node src/env-guard.js scan ./my-project` but the script treats the first CLI argument as the target path (process.argv[2]), so passing a literal 'scan' will cause the tool to scan a directory named 'scan' rather than './my-project'. The SKILL.md does not ask the agent to read unrelated files, env vars, or transmit data, and the code also does not perform external network I/O.

✓ Install Mechanism

No install spec (instruction-only with a packaged JS file). There is no runtime download or external installer; the code is local and uses only Node built-ins (fs, path). This is low risk for installation.

✓ Credentials

The skill requests no environment variables, credentials, or config paths. The patterns intentionally target secret formats; no unexpected or unrelated credentials are requested. Allowlist and pattern APIs are local to the tool.

✓ Persistence & Privilege

The skill is not always-enabled, has no special persistent privileges, and does not modify other skills or system-wide settings. It runs locally and does not store configuration beyond in-memory allowlist/pattern arrays (no files written by default).

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install env-guard
安装完成后，直接呼叫该 Skill 的名称或使用 /env-guard 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.2

env-guard 1.0.2 - Updated SKILL.md to reflect new version number. - No functional or code changes; documentation version bump only.

v1.0.1

- Updated documentation in SKILL.md for version 1.0.1. - Changed recommended scan command to use node src/env-guard.js instead of node env-guard.js. - Removed mentions of pre-commit hook and full repo scan features from documentation. - Updated features list to focus on custom patterns, allowlisting, and CI integration.

v1.0.0

Initial upload

元数据

Slug env-guard

版本 1.0.2

许可证 MIT-0

累计安装 2

当前安装数 2

历史版本数 3

常见问题

Env Guard 是什么？

Scan repos and workspaces for leaked secrets. API keys in code, passwords in configs, tokens in logs. Catches them before they hit git. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 540 次。

如何安装 Env Guard？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install env-guard」即可一键安装，无需额外配置。

Env Guard 是免费的吗？

是的，Env Guard 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Env Guard 支持哪些平台？

Env Guard 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Env Guard？

由 Shadow Rose（@theshadowrose）开发并维护，当前版本 v1.0.2。