Skill

env-audit

Audit environment variable security and configuration. Detects leaked secrets in git history, .env files missing from .gitignore, hardcoded credentials in source code, .env vs .env.example drift, insecure default values, and missing required variables. Use when reviewing env configuration, checking for secret leaks, auditing dotenv setup, or preparing for deployment. Triggers on "env audit", "environment variables", "secret leak", "dotenv check", ".env security", "hardcoded credentials", "env drift".

From vca-complete

Install

Run in your terminal

npx claudepluginhub mralbertzwolle/vca-tools --plugin vca-complete

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

157.6k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

157.6k

benchmark

Benchmarks web page Core Web Vitals/bundle sizes, API latency under load, build times; detects regressions via before/after PR comparisons.

ecc

145.8k

Stats

Parent Repo Stars0

Parent Repo Forks0

Last CommitMar 18, 2026

Actions

View Source View Plugin View on GitHub View README

env-audit

From vca-complete

What It Checks (50+ checks)

Secret Security (15 checks)

.env files in .gitignore

Secrets committed to git history

Hardcoded API keys, tokens, passwords in source

Private keys in repository

Base64-encoded secrets in code

Secrets in CI/CD config files

Secrets in Docker/docker-compose files

Configuration Completeness (12 checks)

.env.example exists and is up to date

All referenced process.env.* have corresponding entries

Missing required variables (DB, auth, API keys)

Unused env vars (defined but never referenced)

Type mismatches (boolean vs string)

Best Practices (13 checks)

Naming conventions (UPPER_SNAKE_CASE)

Prefix consistency (NEXT_PUBLIC_, VITE_, REACT_APP_)

Default values in code vs env

Environment-specific files (.env.local, .env.production)

dotenv library usage and load order

Deployment Readiness (10 checks)

Production env vars differ from development defaults

No localhost/127.0.0.1 in production configs

SSL/TLS URLs in production

Required third-party service keys present

Doppler/Vault/secrets manager integration

Environment Variable Audit

Audit environment variable configuration for security, completeness, and best practices. Use /env-audit:run to start.

What It Checks (50+ checks)

Secret Security (15 checks)

.env files in .gitignore
Secrets committed to git history
Hardcoded API keys, tokens, passwords in source
Private keys in repository
Base64-encoded secrets in code
Secrets in CI/CD config files
Secrets in Docker/docker-compose files

Configuration Completeness (12 checks)

.env.example exists and is up to date
All referenced process.env.* have corresponding entries
Missing required variables (DB, auth, API keys)
Unused env vars (defined but never referenced)
Type mismatches (boolean vs string)

Best Practices (13 checks)

Naming conventions (UPPER_SNAKE_CASE)
Prefix consistency (NEXT_PUBLIC_, VITE_, REACT_APP_)
Default values in code vs env
Environment-specific files (.env.local, .env.production)
dotenv library usage and load order

Deployment Readiness (10 checks)

Production env vars differ from development defaults
No localhost/127.0.0.1 in production configs
SSL/TLS URLs in production
Required third-party service keys present
Doppler/Vault/secrets manager integration