Secure environment variable management with Varlock. Use when handling secrets, API keys, credentials, or any sensitive configuration. Ensures secrets are never exposed in terminals, logs, traces, or Claude's context. Trigger phrases include "environment variables", "secrets", ".env", "API key", "credentials", "sensitive", "Varlock".
Add this skill
npx mdskills install wrsmith108/varlockComprehensive security-first skill with clear rules, safe patterns, and actionable guidance for protecting secrets
Secure-by-default environment variable management. Ensures secrets are never exposed in Claude sessions.
When working with Claude Code, secrets can accidentally leak into:
This skill wraps Varlock to enforce secure patterns and prevent accidental exposure.
claude plugin add github:wrsmith108/varlock-claude-skill
git clone https://github.com/wrsmith108/varlock-claude-skill ~/.claude/skills/varlock
Install the Varlock CLI:
curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew
export PATH="$HOME/.varlock/bin:$PATH"
Secrets must NEVER appear in Claude's context.
| Never Do | Safe Alternative |
|---|---|
cat .env | cat .env.schema |
echo $SECRET | varlock load |
printenv | grep API | varlock load | grep API |
# Validate all secrets (shows masked values)
varlock load
# Quiet validation (no output on success)
varlock load --quiet
# Run command with secrets injected
varlock run -- npm start
# View schema (safe - no values)
cat .env.schema
Create .env.schema to define variable types and sensitivity:
# Global defaults
# @defaultSensitive=true @defaultRequired=infer
# Public config
# @type=enum(development,staging,production) @sensitive=false
NODE_ENV=development
# Sensitive secrets
# @type=string(startsWith=sk_) @required @sensitive
STRIPE_SECRET_KEY=
# @type=url @required @sensitive
DATABASE_URL=
| Annotation | Effect |
|---|---|
@sensitive | Value masked in all output |
@sensitive=false | Value shown (for public keys) |
@required | Must be present |
@type=string(startsWith=X) | Prefix validation |
# Use Varlock as entrypoint
CMD ["varlock", "run", "--", "npm", "start"]
# Test passwords are sensitive
# @type=string @sensitive
TEST_ADMIN_PASSWORD=
# Test emails are NOT sensitive (contain +clerk_test)
# @type=string(contains=+clerk_test) @sensitive=false
TEST_ADMIN_EMAIL=
When users ask Claude to:
varlock load | grep API_KEYvarlock load (validates all)cat .env.schema insteadThis skill wraps Varlock by DMNO.
MIT
Install via CLI
npx mdskills install wrsmith108/varlockVarlock Skill for Claude Code is a free, open-source AI agent skill. Secure environment variable management with Varlock. Use when handling secrets, API keys, credentials, or any sensitive configuration. Ensures secrets are never exposed in terminals, logs, traces, or Claude's context. Trigger phrases include "environment variables", "secrets", ".env", "API key", "credentials", "sensitive", "Varlock".
Install Varlock Skill for Claude Code with a single command:
npx mdskills install wrsmith108/varlockThis downloads the skill files into your project and your AI agent picks them up automatically.
Varlock Skill for Claude Code works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.