OpenClaw LaunchOpenClaw Launch
🔐

Env / .env Auditor

Verified

by Community

Scans your project for `.env*` files and audits them: flags any secrets accidentally committed to git, compares your active `.env` against `.env.example` to find missing required vars, and detects drift between dev/prod env configs. Read-only — never modifies your env files.

securityenvdotenvsecretsauditcompliancegit

Env / .env Auditor

Find env-file problems before they bite you in prod.

Three checks

Check 1 — Secrets committed to git

# Is .env in .gitignore?
grep -E "^\.env(\.|$)" .gitignore || echo "WARNING: .env is NOT in .gitignore"

# Has .env ever been committed?
git log --all --diff-filter=A --name-only | grep -E "^\.env(\.[a-z]+)?$" || echo "OK: .env never committed"

# Are there .env files currently tracked?
git ls-files | grep -E "^\.env(\.[a-z]+)?$" | grep -v "\.example$" || echo "OK: no .env files tracked"

If any .env file IS in git history (even if removed now), the secrets in those commits MAY STILL BE EXPOSED. Recommend:

  1. Rotate every credential that was in that file.
  2. Use git filter-repo or BFG to scrub history (only if the repo isn't public yet).
  3. If the repo IS public, just rotate — purging won't help, the data is already mirrored.

Check 2 — Drift vs .env.example

# Vars in .env.example but missing from .env
comm -23 <(grep -oE "^[A-Z_][A-Z0-9_]*" .env.example | sort -u) \
         <(grep -oE "^[A-Z_][A-Z0-9_]*" .env | sort -u)

# Vars in .env but missing from .env.example (forgotten to document)
comm -13 <(grep -oE "^[A-Z_][A-Z0-9_]*" .env.example | sort -u) \
         <(grep -oE "^[A-Z_][A-Z0-9_]*" .env | sort -u)

Report both directions. Vars missing from .env will likely cause runtime errors. Vars missing from .env.example mean a new dev won't know they need to set them.

Check 3 — Heuristic secret detection in tracked files

Flag any tracked file containing patterns that look like real secrets:

# AWS keys
git grep -n -E "AKIA[0-9A-Z]{16}"

# OpenAI / Anthropic keys
git grep -n -E "sk-[A-Za-z0-9]{32,}"
git grep -n -E "sk-ant-[A-Za-z0-9-]{40,}"

# GitHub tokens
git grep -n -E "ghp_[A-Za-z0-9]{36}"
git grep -n -E "github_pat_[A-Za-z0-9_]{82}"

# JWT-shaped
git grep -n -E "eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+"

# Generic high-entropy 30+ char strings near "key" / "secret" / "token"
git grep -n -iE "(api[_-]?key|secret|token|password)\s*[:=]\s*["'\x60][A-Za-z0-9+/=_-]{30,}["'\x60]"

False positives are common — review each match. Real secrets get flagged with a clear "SECRET? <file>:<line>" prefix.

Output

# Env Audit — <project>

## Critical
- [ ] <issue requiring immediate action>

## Warnings
- <issue worth fixing>

## OK
- <check that passed>

What this skill does NOT do

  • Modify any .env file. (Read-only — that's a deliberate constraint.)
  • Commit a fix. (The user makes the call.)
  • Rotate credentials for you. (You have to do that in the relevant provider.)

When to run

  • Onboarding a new dev to a project.
  • Before making a private repo public.
  • After a suspected leak.
  • Quarterly as a routine check.

More Security Skills

shield
1Claw

HSM-backed vault for agent secrets; store, rotate, share securely.

shield
1Password

Set up and use 1Password CLI (op).

shield
Auditing Appstore Readiness

Audit an iOS app repo.

shield
Authensor Gateway

Fail-safe policy gate for OpenClaw marketplace skills.