Repository inventory

wrsmith108/varlock-claude-skill

Skills indexed from this repository, with install-style signals scoped to the repo.
1 skills5 GitHub stars0 weekly installsGitHubOwner profile

Overview

This skill provides secure-by-default environment variable management using Varlock. It prevents secrets from being exposed in terminals, logs, traces, or the AI session context. Use it to validate, mask, and inject secrets safely into commands and CI/CD without ever printing secret values.

How this skill works

Varlock uses a .env.schema file to declare variable types, validation rules, and sensitivity annotations. Commands like varlock load validate and mask sensitive values, while varlock run injects validated environment variables into a subprocess without printing them. The CLI also supports external secret loaders (1Password, AWS, env) and enforces rules that block direct reads or echoes of .env values.

When to use it

  • When handling API keys, passwords, tokens, or any secrets during development
  • Before running builds, tests, or starting servers to ensure required vars are present
  • In CI/CD pipelines to validate environment variables without revealing values
  • When rotating secrets to validate new values before deploying
  • When integrating secrets from external sources like 1Password or AWS Secrets Manager

Best practices

  • Never cat or echo .env files or environment variables inside Claude sessions
  • Declare all variables in .env.schema and mark secrets with @sensitive
  • Add @defaultSensitive=true to the schema header for high-security projects
  • Use varlock load --quiet in scripts and CI to validate silently
  • Run commands with varlock run -- <cmd> so secrets are injected but not printed

Example use cases

  • Validate production environment in CI: set env vars from secrets store then run varlock load --quiet
  • Start a server securely: varlock run -- npm start so runtime sees secrets but logs do not
  • Check a missing or malformed secret by running varlock load to see masked error details
  • Rotate a secret: update external store or .env, then run varlock load to confirm validity
  • Docker entrypoint that validates env at container start using varlock run

FAQ

No. Claude should never read .env files. Use varlock load to validate and view masked output and cat .env.schema to review the schema safely.

How do I run commands that need secrets without exposing them?

Use varlock run -- <command>. Varlock injects validated environment variables into the subprocess but never prints the secret values.

What if a secret gets exposed in logs?

Rotate the exposed secret immediately, mark the variable @sensitive in .env.schema, and switch commands to varlock patterns to prevent future exposure.

1 skills

More from this maintainer
Other repositories and skills published under the same GitHub owner.
Skills library
Jump back to the full directory or explore grouped topics.
Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational