m4d3bug/env-setup
skills/env-setup/SKILL.md
Scan codebase for environment variables, generate .env.example, validate .env, and ensure .gitignore safety
$ install --global
skillsauthnpx skillsauth add m4d3bug/oh-my-openclaw env-setupInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 6:57 AM16.0s2 files scanned
SKILL.md
- name:
- env-setup
- description:
- Scan codebase for environment variables, generate .env.example, validate .env, and ensure .gitignore safety
- version:
- 1.0.0
- author:
- Sovereign Skills
- tags:
- [openclaw, agent-skills, automation, productivity, free, env, environment, configuration, security]
env-setup — Environment Variable Manager
Scan your codebase for all referenced environment variables, generate .env.example, validate your current .env, and ensure secrets aren't committed.
Steps
1. Scan Codebase for Environment Variables
Search for env var references across all common patterns:
# Node.js / JavaScript / TypeScript
grep -rn "process\.env\.\w\+" --include="*.js" --include="*.ts" --include="*.jsx" --include="*.tsx" . | grep -v node_modules | grep -v dist
# Python
grep -rn "os\.environ\|os\.getenv\|environ\.get" --include="*.py" . | grep -v __pycache__ | grep -v .venv
# Rust
grep -rn "env::var\|env::var_os\|dotenv" --include="*.rs" . | grep -v target
# Go
grep -rn "os\.Getenv\|os\.LookupEnv\|viper\." --include="*.go" . | grep -v vendor
# Docker / docker-compose
grep -rn "\${.*}" --include="*.yml" --include="*.yaml" docker-compose* 2>/dev/null
# General .env references in config files
grep -rn "env\." --include="*.toml" --include="*.yaml" --include="*.yml" . 2>/dev/null
Windows PowerShell alternative:
Get-ChildItem -Recurse -Include *.js,*.ts,*.jsx,*.tsx -Exclude node_modules,dist | Select-String "process\.env\.\w+"
Get-ChildItem -Recurse -Include *.py -Exclude __pycache__,.venv | Select-String "os\.environ|os\.getenv"
2. Extract Variable Names
Parse grep output to extract unique variable names:
process.env.DATABASE_URL→DATABASE_URLos.environ.get("SECRET_KEY", "default")→SECRET_KEY(default:default)os.getenv("API_KEY")→API_KEYenv::var("RUST_LOG")→RUST_LOG
Deduplicate and sort alphabetically. Note which file and line each var is referenced in.
3. Classify Variables
Categorize each variable:
| Category | Pattern | Examples |
|----------|---------|---------|
| 🔴 Secrets | *KEY*, *SECRET*, *TOKEN*, *PASSWORD*, *CREDENTIAL* | API_KEY, JWT_SECRET |
| 🟡 Service URLs | *URL*, *HOST*, *ENDPOINT*, *URI* | DATABASE_URL, REDIS_HOST |
| 🟢 Configuration | *PORT*, *ENV*, *MODE*, *LEVEL*, *DEBUG* | PORT, NODE_ENV, LOG_LEVEL |
| ⚪ Other | Everything else | APP_NAME, MAX_RETRIES |
4. Generate .env.example
Create .env.example with descriptions, categories, and safe defaults:
# ============================================
# Environment Configuration
# Generated by env-setup skill
# ============================================
# --- App Configuration ---
NODE_ENV=development
PORT=3000
LOG_LEVEL=info
# --- Database ---
DATABASE_URL=postgresql://user:password@localhost:5432/dbname
# --- Authentication (🔴 SECRET — never commit real values) ---
JWT_SECRET=change-me-in-production
API_KEY=your-api-key-here
# --- External Services ---
REDIS_URL=redis://localhost:6379
Rules:
- Secrets get placeholder values (
change-me,your-xxx-here) - Config vars get sensible defaults
- Group by category with comment headers
- Add
🔴 SECRETwarning on sensitive vars
5. Validate Current .env
If .env exists, compare against discovered variables:
## .env Validation Report
### ❌ Missing (required by code but not in .env)
- `STRIPE_SECRET_KEY` — referenced in src/billing.ts:14
- `SMTP_PASSWORD` — referenced in src/email.ts:8
### ⚠️ Unused (in .env but not referenced in code)
- `OLD_API_ENDPOINT` — may be safe to remove
### ✅ Present and referenced
- `DATABASE_URL` ✓
- `PORT` ✓
- `NODE_ENV` ✓
6. Ensure .gitignore Safety
Check that .env is in .gitignore:
grep -q "^\.env$\|^\.env\.\*" .gitignore 2>/dev/null
If not found, offer to add:
# Environment files
.env
.env.local
.env.*.local
Also check git history for accidentally committed .env files:
git log --all --diff-filter=A -- .env .env.local .env.production 2>/dev/null
If found, warn the user that secrets may be in git history and suggest git filter-branch or BFG Repo-Cleaner.
7. Output Summary
# Environment Variable Report
| Metric | Count |
|--------|-------|
| Total vars found | 15 |
| 🔴 Secrets | 4 |
| ❌ Missing from .env | 2 |
| ⚠️ Unused in .env | 1 |
| ✅ Properly configured | 12 |
| .gitignore protection | ✅ |
Edge Cases
- Framework-specific env: Next.js uses
NEXT_PUBLIC_*(client-exposed); flag these distinctly - Docker env: Check
docker-compose.ymlenvironment:section too - Multiple .env files:
.env.development,.env.production,.env.test— validate all - No .env exists: Generate both
.env.exampleand a starter.env - Interpolated vars:
${VAR:-default}in shell scripts — extractVAR
Error Handling
| Error | Resolution |
|-------|-----------|
| No env vars found | Project may not use env vars — confirm with user |
| .env has syntax errors | Flag lines that don't match KEY=value pattern |
| Binary files in scan | Exclude with --binary-files=without-match |
| Permission denied on .env | Check file permissions; may need elevated access |
Built by Clawb (SOVEREIGN) — more skills at [coming soon]
Related Skills
m4d3bug/Proactivity (Proactive Agent)
testing
VerifiedTrustedCommunity
Anticipates needs, keeps work moving, and improves through use so the agent gets more proactive over time.
2SKILL.mdUpdated Apr 18, 2026
m4d3bug/planning-with-files
tools
VerifiedTrustedCommunity
Implements Manus-style file-based planning to organize and track progress on complex tasks. Creates task_plan.md, findings.md, and progress.md. Use when asked to plan out, break down, or organize a multi-step project, research task, or any work requiring >5 tool calls. Supports automatic session recovery after /clear.
2SKILL.mdUpdated Apr 18, 2026
m4d3bug/ontology
development
VerifiedTrustedCommunity
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linking related objects, enforcing constraints, planning multi-step actions as graph transformations, or when skills need to share state. Trigger on "remember", "what do I know about", "link X to Y", "show dependencies", entity CRUD, or cross-skill data access.
2SKILL.mdUpdated Apr 18, 2026
m4d3bug/multi-search-engine
development
VerifiedTrustedCommunity
Multi search engine integration with 17 engines (8 CN + 9 Global). Supports advanced search operators, time filters, site search, privacy engines, and WolframAlpha knowledge queries. No API keys required.
2SKILL.mdUpdated Apr 18, 2026