mathews-tom/env-validator
skills/env-validator/SKILL.md
Validates .env files against code references and manifests for missing vars, type mismatches, insecure defaults, and unused entries. Triggers on: "validate env file", "check environment variables", "missing env vars", "check .env", "dotenv validation". NOT for secret scanning, use repo-sentinel.
$ install --global
skillsauthnpx skillsauth add mathews-tom/armory env-validatorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 4, 2026, 7:05 AM319.8s3 files scanned
SKILL.md
- name:
- env-validator
- description:
- Validates .env files against code references and manifests for missing vars, type mismatches, insecure defaults, and unused entries. Triggers on: "validate env file", "check environment variables", "missing env vars", "check .env", "dotenv validation". NOT for secret scanning, use repo-sentinel.
- version:
- 1.0.1
- category:
- operations
- tags:
- [env, configuration, validation, dotenv, deployment]
- difficulty:
- intermediate
- phase:
- build
Env Validator
Validates environment variable configurations by cross-referencing .env files against
project requirements. Catches missing variables, type errors, insecure defaults, and
orphaned entries before they cause runtime failures.
Reference Files
| File | Contents | Load When |
| ------------------------------------ | ------------------------------------------------- | ---------------------- |
| references/validation-rules.md | Built-in validation rules and severity definitions | Always |
Prerequisites
- A
.envfile (or equivalent) in the project - Optionally:
.env.example,docker-compose.yml, or deployment manifests for cross-referencing
Workflow
Phase 1: Discovery
Locate environment configuration sources in the project:
- Primary file: Find
.envin the project root. If absent, check for.env.local,.env.development,.env.production - Schema file: Find
.env.exampleor.env.template— this defines the expected variables - Code references: Grep for
os.environ,process.env,env::var,os.Getenvpatterns to find variables referenced in code - Deployment manifests: Check
docker-compose.yml,Dockerfile,k8s/manifests for${VAR}orENV VARpatterns
Report what was found before proceeding.
Phase 2: Schema Extraction
Build the expected variable schema from discovered sources:
For each variable found across all sources, record:
| Field | Source |
| ----------- | --------------------------------------------------------- |
| Name | Variable name (e.g., DATABASE_URL) |
| Required | Present in code references or marked required in example |
| Type hint | Inferred from usage (URL, integer, boolean, string, path) |
| Default | Value in .env.example if present |
| Used in | List of files that reference this variable |
Phase 3: Validation
Run these checks against the primary .env file:
-
Missing required variables (CRITICAL)
- Variable referenced in code but absent from
.env - Variable in
.env.examplewithout a default but absent from.env
- Variable referenced in code but absent from
-
Type mismatches (HIGH)
PORT=abcwhen code doesint(os.environ["PORT"])DEBUG=yeswhen code expects boolean (true/false)- URL variables without valid URL format
-
Insecure defaults (HIGH)
SECRET_KEY=changeme,PASSWORD=password,API_KEY=xxxDEBUG=trueorDEBUG=1in production-targeted files- Empty values for security-critical variables
-
Unreferenced variables (MEDIUM)
- Variables in
.envnot referenced anywhere in code or manifests - May indicate stale configuration
- Variables in
-
Format issues (LOW)
- Lines without
KEY=VALUEformat - Trailing whitespace in values
- Inconsistent quoting (mixing single/double/no quotes)
- Duplicate variable definitions (last wins, but likely a mistake)
- Lines without
See references/validation-rules.md for the complete rule catalog.
Phase 4: Report
Produce a structured validation report:
# Environment Validation Report
**File:** `.env`
**Schema:** `.env.example` + code references
**Verdict:** PASS | FAIL
## Summary
| Severity | Count |
|----------|-------|
| CRITICAL | N |
| HIGH | N |
| MEDIUM | N |
| LOW | N |
## CRITICAL
### [ENV-001] Missing required variable: DATABASE_URL
- **Referenced in:** `src/db.py:12`, `docker-compose.yml:8`
- **Expected type:** URL (postgresql://...)
- **Fix:** Add `DATABASE_URL=postgresql://user:pass@localhost:5432/dbname` to `.env`
## HIGH
...
## Unreferenced Variables
| Variable | In .env | In Code | In Manifests | Status |
|-----------------|---------|---------|--------------|--------------|
| LEGACY_API_KEY | Yes | No | No | Unreferenced |
## Recommendations
1. [Highest priority fix]
2. [Second fix]
Error Handling
| Error | Resolution | | --------------------------------- | ----------------------------------------------------- | | No .env file found | Report absence; check for alternative env sources | | No .env.example or schema | Validate based on code references only | | Binary or very large .env | Skip; report as unsupported format | | No code references found | Validate format and security only; skip completeness |
Limitations
- Cannot validate runtime-injected variables (from vault, AWS SSM, etc.)
- Type inference is heuristic — may misclassify complex values
- Does not check variable values against external services (e.g., valid API key format)
- Production vs. development distinction requires file naming conventions
Related Skills
mathews-tom/stacked-prs
testing
VerifiedTrustedCommunity
Manages dependent branch stacks and stacked pull requests using safe Git topology rules. Triggers on: "create stacked PRs", "publish this stack", "sync my PR stack", "rebase this stack", "merge the stack", "retarget child PRs", "split this branch into stacked PRs", "validate this stack", "cleanup stacked branches". Use when local branches or one source branch need to become a dependency-ordered PR stack with correct parent bases, validation, synchronization, merge order, and cleanup.
242SKILL.mdUpdated May 23, 2026
mathews-tom/project-context-setup
development
VerifiedTrustedCommunity
Scaffolds per-repository agent context so coding agents share the same issue tracker rules, triage label vocabulary, domain glossary, ADR layout, and handoff conventions. Triggers on: "set up project context", "configure agent docs", "create CONTEXT.md", "setup agent workflow", "agent issue tracker setup", "triage labels", "domain glossary for agents". Use when a repo needs durable context files before planning, triage, debugging, TDD, architecture review, or multi-agent implementation.
230SKILL.mdUpdated May 12, 2026
mathews-tom/task-decomposer
testing
VerifiedTrustedCommunity
Produces phased task boards from feature requests: dependency-mapped work items, parallelization flags, risk flags, edge cases, test matrices. Triggers on: "decompose this feature", "task breakdown with dependencies", "phased implementation plan", "work breakdown structure". NOT for effort estimates, use estimate-calibrator.
230SKILL.mdUpdated Apr 6, 2026
mathews-tom/debug-investigator
development
VerifiedTrustedCommunity
Hypothesis-driven debugging with ranked hypotheses, git bisect strategy, instrumentation planning, and minimal reproduction design. Triggers on: "debug this systematically", "root cause analysis", "bisect this bug", "rank hypotheses", "isolate this issue", "minimal reproduction". NOT for general reasoning.
230SKILL.mdUpdated Apr 6, 2026