← 返回 Skills 市场

FlyAI Env Guardian

Name: FlyAI Env Guardian
Author: dingtom336-gif

作者 dingtom336-gif · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

105

总下载

当前安装

版本数

在 OpenClaw 中安装

/install flyai-env-guardian

功能描述

Protect sensitive environment variables from accidental exposure in commits, logs, and CI pipelines with automated scanning and pre-commit validation.

使用说明 (SKILL.md)

FlyAI Env Guardian

Automated environment variable protection for development teams. Scans codebases for exposed secrets, validates .env file hygiene, and prevents accidental credential leaks before they reach version control.

When to use

Activate this skill when:

A developer is about to commit changes that may contain secrets or API keys
Setting up a new project and need to establish .env security patterns
Auditing an existing codebase for exposed credentials
Configuring CI/CD pipelines that handle sensitive environment variables
Reviewing pull requests for potential secret exposure

Threat Model

High Risk Patterns

Pattern	Example	Risk Level
Hardcoded API keys	const KEY = sk-proj-abc123	Critical
Database URLs with passwords	postgres://user:pass@host/db	Critical
AWS credentials in code	AWS_SECRET_ACCESS_KEY = ...	Critical
JWT secrets	JWT_SECRET = mysecret	High
Private keys	BEGIN RSA PRIVATE KEY	Critical
OAuth tokens	github_pat_..., ghp_..., gho_...	High

Medium Risk Patterns

Pattern	Example	Risk Level
Internal URLs	http://internal-api.corp:8080	Medium
IP addresses with ports	192.168.1.100:3306	Medium
Email addresses in config	[email protected]	Low

Scanning Process

Pre-commit scan: Check staged files for secret patterns using regex matching
File extension filter: Focus on source code files (.ts, .js, .py, .go, .rs, .java, .env*)
Entropy analysis: Flag high-entropy strings (potential random tokens) in non-test files
Known pattern matching: Check against 40+ known secret formats (AWS, GCP, Azure, Stripe, Twilio, etc.)
.gitignore validation: Ensure .env files are properly ignored
History scan: Optional deep scan of git history for previously committed secrets

Remediation Actions

When secrets are found:

Immediate

Block the commit with a clear error message
Show exactly which file and line contains the secret
Suggest moving the value to .env and using process.env

Follow-up

If a secret was already committed, recommend rotating the credential immediately
Generate a .env.example file with placeholder values
Add missing entries to .gitignore
Set up git-secrets or pre-commit hooks for ongoing protection

Environment File Standards

Required Structure

.env: Local development values (never committed)
.env.example: Template with placeholder values (committed)
.env.test: Test environment values (committed, no real secrets)
.env.production: Production values (never committed, managed by CI/CD)

Naming Conventions

Use UPPER_SNAKE_CASE for all variable names
Prefix with service name: DATABASE_URL, REDIS_HOST, STRIPE_SECRET_KEY
Document each variable with inline comments
Group related variables with section headers

CI/CD Integration

GitHub Actions

Validate that no .env files are included in the build artifact
Check that all required env vars are set in the workflow
Scan PR diffs for new secret introductions

Docker

Never use ENV for secrets in Dockerfiles
Use Docker secrets or mount .env at runtime
Scan built images for embedded credentials

Configuration

The skill respects a .envguardian.json config file:

customPatterns: Additional regex patterns to scan for
ignoreFiles: Paths to exclude from scanning
severityThreshold: Minimum severity to report (low, medium, high, critical)
autoFix: Whether to automatically add .gitignore entries

安全使用建议

This skill appears to do what it claims: scan repositories for exposed secrets and help set up pre-commit/CI checks. Before enabling it, consider: (1) the skill runs shell-style operations (Bash, Grep, Read) and will need access to your repository files and git history — run it on a safe/test repo first; (2) optional features (history scan, Docker image scanning, workflow validation) require external tools (git, docker, image scanners, git-secrets, etc.); ensure those tools are available and trusted; (3) review any generated pre-commit hooks or auto-fix changes (.gitignore, .env.example) before committing—disable autoFix until you inspect outputs; (4) confirm the agent executing the skill has only the repository-level access you intend (it could read any file the agent can access); and (5) there are no declared network endpoints or credential requests, but if you integrate the recommendations into CI you will need to provision secrets there manually and rotate any exposed credentials immediately.

功能分析

Type: OpenClaw Skill Name: flyai-env-guardian Version: 1.0.0 The flyai-env-guardian skill is a security utility designed to scan codebases for exposed secrets and validate environment variable hygiene. The instructions in SKILL.md are strictly defensive, focusing on identifying high-entropy strings and known credential patterns (e.g., AWS keys, JWT secrets) to prevent accidental commits. The allowed tools (Bash, Grep, Read, Glob) are appropriate for its stated purpose, and there is no evidence of data exfiltration, malicious execution, or prompt-injection attacks.

能力评估

✓ Purpose & Capability

The name and description match the SKILL.md content: scanning staged files, checking .env hygiene, recommending pre-commit hooks and CI checks. The skill does not request unrelated credentials or broad system access. One minor mismatch: the documentation references tools/operations (git history scanning, Docker image scanning, git-secrets, GitHub Actions checks) that implicitly require binaries or services (git, docker, image scanners) but the registry entry lists no required binaries; this is plausible for an instruction-only skill but worth noting.

ℹ Instruction Scope

The SKILL.md stays within repository and CI/CD hygiene tasks (scanning files, regex/entropy checks, updating .gitignore, generating .env.example, blocking commits). It does not instruct exfiltration or contacting external endpoints. However, several optional actions (deep git-history scans, Docker image scanning, validating workflow secrets) require access to repository history and additional tools; the skill does not declare those dependencies and will rely on the agent environment to provide them. The allowedTools list (Bash, Read, Grep, Glob) implies shell-level file access, which is appropriate but broad — you should review any hooks or auto-fix actions before enabling them.

✓ Install Mechanism

There is no install spec and no code files; it's instruction-only. This minimizes risk from arbitrary downloads or installs.

✓ Credentials

The skill requests no environment variables or credentials. Its recommended actions (e.g., suggesting moving secrets to .env) are consistent with its purpose. There are no surprising secret requests or config path accesses declared.

✓ Persistence & Privilege

always is false and there is no install-time persistence. disable-model-invocation is false (the default) which allows autonomous invocation — expected for skills. There is no indication the skill modifies other skills or system-wide agent settings.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install flyai-env-guardian
安装完成后，直接呼叫该 Skill 的名称或使用 /flyai-env-guardian 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of flyai-env-guardian. - Scans codebases and commits for exposed environment variables and secrets. - Supports pre-commit validation, file extension filters, and entropy analysis for detecting secret patterns. - Validates .env file hygiene and ensures proper .gitignore configuration. - Provides developer guidance and remediation actions when secrets are found. - Integrates with CI/CD pipelines for ongoing protection. - Allows customization via .envguardian.json config file.

元数据

Slug flyai-env-guardian

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题