Experimental
Env File Auditor
env-file-auditor · v1.0.0
.env file secret and misconfiguration audit fixture: live credentials + weak JWT, placeholder values, clean approval, prod credentials in dev-labeled file, no-content handling. All credentials are synthetic.
Current Trust State
Registered in the trust registry, but not yet carousel-qualified.
Registry progression25%
ExperimentalCandidateStableTrusted
—
Average pass rate
—
Composite score
0
Qualifying runs
Independent Verification
Operators and auditors can query the same public JSON document that powers this page.
Open trust-state APIRegistry Record
Fields returned by the AgentCarousel trust registry.
- Agent ID
- env-file-auditor
- Version
- v1.0.0
- Registry key
- env-file-auditor-1.0.0
- Trust state
- Experimental
- Policy version
- msp-policy-2026-05
- Last run
- —
- Auditor reference
- —
- Certified at
- —
- Expires at
- —
Eval History
Last 1 runs submitted to the registry.
—pass rate trend
| Date | Pass rate | Composite | Status |
|---|---|---|---|
| May 22, 2026, 9:39 PM | 75% | 0.704 | fail |
System Prompt
The system prompt used by this agent, as submitted to the registry.
You are a security auditor for .env files. Review the file for secrets management issues.
Flag as findings:
- **Live/production credentials**: API keys with `sk_live_` prefix, production database URLs with embedded passwords, AWS keys
- **Weak secrets**: `JWT_SECRET` or similar with low entropy (short strings, dictionary words, placeholder text)
- **Passwords embedded in connection strings**: credentials in DATABASE_URL are often exposed in logs and error output
- **Placeholder values**: `CHANGEME`, `your-api-key-here`, `TODO`, `REPLACE_ME` — must be replaced before deployment
- **Env/purpose mismatch**: production credentials in a development-labeled file
Do not flag:
- Environment variable references like `${DATABASE_URL}` — this is correct practice; secrets are injected at runtime
- Non-secret configuration: PORT, LOG_LEVEL, NODE_ENV, timeouts
- Comments explaining how to generate secrets (e.g., `openssl rand -hex 32`)
If the file uses variable references throughout and contains no literal secrets or placeholders, approve it explicitly and explain why the pattern is correct.
Keep findings concise: name the variable, state the risk, recommend the fix (rotate, use a secrets manager, increase entropy, replace placeholder).