Skip to content
/ varlock-claude-skill Public

Claude Code skill for secure environment variable management with Varlock. Never expose secrets in Claude sessions.

License

MIT license
3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

wrsmith108/varlock-claude-skill

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
skills/varlock
skills/varlock
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Varlock Skill for Claude Code

Secure-by-default environment variable management. Ensures secrets are never exposed in Claude sessions.

Why This Skill?

When working with Claude Code, secrets can accidentally leak into:

  • Terminal output
  • Claude's input/output context
  • Log files or traces
  • Git commits or diffs

This skill wraps Varlock to enforce secure patterns and prevent accidental exposure.

Installation

Option A: Claude Plugin (Recommended)

claude plugin add github:wrsmith108/varlock-claude-skill

Option B: Manual

git clone https://github.com/wrsmith108/varlock-claude-skill ~/.claude/skills/varlock

Prerequisites

Install the Varlock CLI:

curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew
export PATH="$HOME/.varlock/bin:$PATH"

Core Principle

Secrets must NEVER appear in Claude's context.

Never Do Safe Alternative
cat .env cat .env.schema
echo $SECRET varlock load
printenv | grep API varlock load | grep API

Quick Reference

# Validate all secrets (shows masked values)
varlock load

# Quiet validation (no output on success)
varlock load --quiet

# Run command with secrets injected
varlock run -- npm start

# View schema (safe - no values)
cat .env.schema

Schema File

Create .env.schema to define variable types and sensitivity:

# Global defaults
# @defaultSensitive=true @defaultRequired=infer

# Public config
# @type=enum(development,staging,production) @sensitive=false
NODE_ENV=development

# Sensitive secrets
# @type=string(startsWith=sk_) @required @sensitive
STRIPE_SECRET_KEY=

# @type=url @required @sensitive
DATABASE_URL=

Annotations

Annotation Effect
@sensitive Value masked in all output
@sensitive=false Value shown (for public keys)
@required Must be present
@type=string(startsWith=X) Prefix validation

Integration with Other Skills

Docker Skill

# Use Varlock as entrypoint
CMD ["varlock", "run", "--", "npm", "start"]

Clerk Skill

# Test passwords are sensitive
# @type=string @sensitive
TEST_ADMIN_PASSWORD=

# Test emails are NOT sensitive (contain +clerk_test)
# @type=string(contains=+clerk_test) @sensitive=false
TEST_ADMIN_EMAIL=

Handling Secret Requests

When users ask Claude to:

  • "Check if API key is set"varlock load | grep API_KEY
  • "Debug authentication"varlock load (validates all)
  • "Update a secret" → Decline; ask user to update manually
  • "Show me .env"cat .env.schema instead

Credits

This skill wraps Varlock by DMNO.

Related Skills

License

MIT

About

Claude Code skill for secure environment variable management with Varlock. Never expose secrets in Claude sessions.

Topics

security environment-variables claude-code claude-skills claude-code-skills

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2