How do I install Varlock Skill for Claude Code?

Install Varlock Skill for Claude Code with a single command: npx mdskills install wrsmith108/varlock. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Varlock Skill for Claude Code?

Varlock Skill for Claude Code works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Varlock Skill for Claude Code

Name: Varlock Skill for Claude Code: AI Agent Skill
Rating: 9 (1 reviews)
Author: wrsmith108

Verified

SecurityIntermediate

Secure environment variable management with Varlock. Use when handling secrets, API keys, credentials, or any sensitive configuration. Ensures secrets are never exposed in terminals, logs, traces, or Claude's context. Trigger phrases include "environment variables", "secrets", ".env", "API key", "credentials", "sensitive", "Varlock".

by @wrsmith1080Updated 1 weeks ago

Add this skill

npx mdskills install wrsmith108/varlock

Fork & Edit

Skill Advisor9.0

Comprehensive security-first skill with clear rules, safe patterns, and actionable guidance for protecting secrets

+Provides explicit security rules with clear do/don't examples for every common scenario
+Covers complete workflow from installation through CI/CD integration with practical patterns
+Includes detailed schema annotations, type validation, and external secret source integration
-Requests Git Write permission but demonstrates no git operations in the content

SKILL.md

Edit in Browser

1---
2name: varlock
3description: Secure environment variable management with Varlock. Use when handling secrets, API keys, credentials, or any sensitive configuration. Ensures secrets are never exposed in terminals, logs, traces, or Claude's context. Trigger phrases include "environment variables", "secrets", ".env", "API key", "credentials", "sensitive", "Varlock".
4---
5 
6# Varlock Security Skill
7 
8Secure-by-default environment variable management for Claude Code sessions.
9 
10> **Repository**: https://github.com/dmno-dev/varlock
11> **Documentation**: https://varlock.dev
12 
13## Core Principle: Secrets Never Exposed
14 
15When working with Claude, secrets must NEVER appear in:
16- Terminal output
17- Claude's input/output context
18- Log files or traces
19- Git commits or diffs
20- Error messages
21 
22This skill ensures all sensitive data is properly protected.
23 
24---
25 
26## CRITICAL: Security Rules for Claude
27 
28### Rule 1: Never Echo Secrets
29 
30```bash
31# ❌ NEVER DO THIS - exposes secret to Claude's context
32echo $CLERK_SECRET_KEY
33cat .env | grep SECRET
34printenv | grep API
35 
36# ✅ DO THIS - validates without exposing
37varlock load --quiet && echo "✓ Secrets validated"
38```
39 
40### Rule 2: Never Read .env Directly
41 
42```bash
43# ❌ NEVER DO THIS - exposes all secrets
44cat .env
45less .env
46Read tool on .env file
47 
48# ✅ DO THIS - read schema (safe) not values
49cat .env.schema
50varlock load  # Shows masked values
51```
52 
53### Rule 3: Use Varlock for Validation
54 
55```bash
56# ❌ NEVER DO THIS - exposes secret in error
57test -n "$API_KEY" && echo "Key: $API_KEY"
58 
59# ✅ DO THIS - Varlock validates and masks
60varlock load
61# Output shows: API_KEY 🔐sensitive └ ▒▒▒▒▒
62```
63 
64### Rule 4: Never Include Secrets in Commands
65 
66```bash
67# ❌ NEVER DO THIS - secret in command history
68curl -H "Authorization: Bearer sk_live_xxx" https://api.example.com
69 
70# ✅ DO THIS - use environment variable
71curl -H "Authorization: Bearer $API_KEY" https://api.example.com
72# Or better: varlock run -- curl ...
73```
74 
75---
76 
77## Quick Start
78 
79### Installation
80 
81```bash
82# Install Varlock CLI
83curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew
84 
85# Add to PATH (add to ~/.zshrc or ~/.bashrc)
86export PATH="$HOME/.varlock/bin:$PATH"
87 
88# Verify
89varlock --version
90```
91 
92### Initialize Project
93 
94```bash
95# Create .env.schema from existing .env
96varlock init
97 
98# Or create manually
99touch .env.schema
100```
101 
102---
103 
104## Schema File: .env.schema
105 
106The schema defines types, validation, and sensitivity for each variable.
107 
108### Basic Structure
109 
110```bash
111# Global defaults
112# @defaultSensitive=true @defaultRequired=infer
113 
114# Application
115# @type=enum(development,staging,production) @sensitive=false
116NODE_ENV=development
117 
118# @type=port @sensitive=false
119PORT=3000
120 
121# Database - SENSITIVE
122# @type=url @required
123DATABASE_URL=
124 
125# @type=string @required @sensitive
126DATABASE_PASSWORD=
127 
128# API Keys - SENSITIVE
129# @type=string(startsWith=sk_) @required @sensitive
130STRIPE_SECRET_KEY=
131 
132# @type=string(startsWith=pk_) @sensitive=false
133STRIPE_PUBLISHABLE_KEY=
134```
135 
136### Security Annotations
137 
138| Annotation | Effect | Use For |
139|------------|--------|---------|
140| `@sensitive` | Redacted in all output | API keys, passwords, tokens |
141| `@sensitive=false` | Shown in logs | Public keys, non-secret config |
142| `@defaultSensitive=true` | All vars sensitive by default | High-security projects |
143 
144### Type Annotations
145 
146| Type | Validates | Example |
147|------|-----------|---------|
148| `string` | Any string | `@type=string` |
149| `string(startsWith=X)` | Prefix validation | `@type=string(startsWith=sk_)` |
150| `string(contains=X)` | Substring validation | `@type=string(contains=+clerk_test)` |
151| `url` | Valid URL | `@type=url` |
152| `port` | 1-65535 | `@type=port` |
153| `boolean` | true/false | `@type=boolean` |
154| `enum(a,b,c)` | One of values | `@type=enum(dev,prod)` |
155 
156---
157 
158## Safe Commands for Claude
159 
160### Validating Environment
161 
162```bash
163# Check all variables (safe - masks sensitive values)
164varlock load
165 
166# Quiet mode (no output on success)
167varlock load --quiet
168 
169# Check specific environment
170varlock load --env=production
171```
172 
173### Running Commands with Secrets
174 
175```bash
176# Inject validated env into command
177varlock run -- npm start
178varlock run -- node script.js
179varlock run -- pytest
180 
181# Secrets are available to the command but never printed
182```
183 
184### Checking Schema (Safe)
185 
186```bash
187# Schema is safe to read - contains no values
188cat .env.schema
189 
190# List expected variables
191grep "^[A-Z]" .env.schema
192```
193 
194---
195 
196## Common Patterns
197 
198### Pattern 1: Validate Before Operations
199 
200```bash
201# Always validate environment first
202varlock load --quiet || {
203  echo "❌ Environment validation failed"
204  exit 1
205}
206 
207# Then proceed with operation
208npm run build
209```
210 
211### Pattern 2: Safe Secret Rotation
212 
213```bash
214# 1. Update secret in external source (1Password, AWS, etc.)
215# 2. Update .env file manually (don't use Claude for this)
216# 3. Validate new value works
217varlock load
218 
219# 4. If using GitHub Secrets, sync (values not shown)
220./scripts/update-github-secrets.sh
221```
222 
223### Pattern 3: CI/CD Integration
224 
225```yaml
226# GitHub Actions - secrets from GitHub Secrets
227- name: Validate environment
228  env:
229    DATABASE_URL: ${{ secrets.DATABASE_URL }}
230    API_KEY: ${{ secrets.API_KEY }}
231  run: varlock load --quiet
232```
233 
234### Pattern 4: Docker Integration
235 
236```dockerfile
237# Install Varlock in container
238RUN curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew \
239    && ln -s /root/.varlock/bin/varlock /usr/local/bin/varlock
240 
241# Validate at container start
242CMD ["varlock", "run", "--", "npm", "start"]
243```
244 
245---
246 
247## Handling Secret-Related Tasks
248 
249### When User Asks to "Check if API key is set"
250 
251```bash
252# ✅ Safe approach
253varlock load 2>&1 | grep "API_KEY"
254# Shows: ✅ API_KEY 🔐sensitive └ ▒▒▒▒▒
255 
256# ❌ Never do
257echo $API_KEY
258```
259 
260### When User Asks to "Debug authentication"
261 
262```bash
263# ✅ Safe approach - check presence and format
264varlock load  # Validates types and required fields
265 
266# Check if key has correct prefix (without showing value)
267varlock load 2>&1 | grep -E "(CLERK|AUTH)"
268 
269# ❌ Never do
270printenv | grep KEY
271```
272 
273### When User Asks to "Update a secret"
274 
275```
276Claude should respond:
277"I cannot directly modify secrets for security reasons. Please:
2781. Update the value in your .env file manually
2792. Or update in your secrets manager (1Password, AWS, etc.)
2803. Then run `varlock load` to validate
281 
282I can help you update the .env.schema if you need to add new variables."
283```
284 
285### When User Asks to "Show me the .env file"
286 
287```
288Claude should respond:
289"I won't read .env files directly as they contain secrets. Instead:
290- Run `varlock load` to see masked values
291- Run `cat .env.schema` to see the schema (safe)
292- I can help you modify .env.schema if needed"
293```
294 
295---
296 
297## External Secret Sources
298 
299### 1Password Integration
300 
301```bash
302# In .env.schema
303# @type=string @sensitive
304API_KEY=exec('op read "op://vault/item/field"')
305```
306 
307### AWS Secrets Manager
308 
309```bash
310# In .env.schema
311# @type=string @sensitive
312DB_PASSWORD=exec('aws secretsmanager get-secret-value --secret-id prod/db')
313```
314 
315### Environment-Specific Values
316 
317```bash
318# In .env.schema
319# @type=url
320API_URL=env('API_URL_${NODE_ENV}', 'http://localhost:3000')
321```
322 
323---
324 
325## Troubleshooting
326 
327### "varlock: command not found"
328 
329```bash
330# Check installation
331ls ~/.varlock/bin/varlock
332 
333# Add to PATH
334export PATH="$HOME/.varlock/bin:$PATH"
335 
336# Or use full path
337~/.varlock/bin/varlock load
338```
339 
340### "Schema validation failed"
341 
342```bash
343# Check which variables are missing/invalid
344varlock load  # Shows detailed errors
345 
346# Common fixes:
347# - Add missing required variables to .env
348# - Fix type mismatches (port must be number)
349# - Check string prefixes match schema
350```
351 
352### "Sensitive value exposed in logs"
353 
354```bash
355# 1. Rotate the exposed secret immediately
356# 2. Check .env.schema has @sensitive annotation
357# 3. Ensure using varlock commands, not echo/cat
358 
359# Add missing sensitivity:
360# Before: API_KEY=
361# After:  # @type=string @sensitive
362#         API_KEY=
363```
364 
365---
366 
367## npm Scripts
368 
369Add these to your package.json:
370 
371```json
372{
373  "scripts": {
374    "env:validate": "varlock load",
375    "env:check": "varlock load --quiet || echo 'Environment validation failed'",
376    "prestart": "varlock load --quiet",
377    "start": "varlock run -- node server.js"
378  }
379}
380```
381 
382---
383 
384## Security Checklist for New Projects
385 
386- [ ] Install Varlock CLI
387- [ ] Create `.env.schema` with all variables defined
388- [ ] Mark all secrets with `@sensitive` annotation
389- [ ] Add `@defaultSensitive=true` to schema header
390- [ ] Add `.env` to `.gitignore`
391- [ ] Commit `.env.schema` to version control
392- [ ] Add `npm run env:validate` to CI/CD
393- [ ] Document secret rotation procedure
394- [ ] Never use `cat .env` or `echo $SECRET` in Claude sessions
395 
396---
397 
398## Quick Reference Card
399 
400| Task | Safe Command |
401|------|-------------|
402| Validate all env vars | `varlock load` |
403| Quiet validation | `varlock load --quiet` |
404| Run with env | `varlock run -- <cmd>` |
405| View schema | `cat .env.schema` |
406| Check specific var | `varlock load \| grep VAR_NAME` |
407 
408| Never Do | Why |
409|----------|-----|
410| `cat .env` | Exposes all secrets |
411| `echo $SECRET` | Exposes to Claude context |
412| `printenv \| grep` | Exposes matching secrets |
413| Read .env with tools | Secrets in Claude's context |
414| Hardcode in commands | In shell history |
415 
416---
417 
418## Integration with Other Skills
419 
420### Clerk Skill
421- Test user passwords are `@sensitive`
422- Test emails are `@sensitive=false` (contain +clerk_test, not secret)
423- See: `~/.claude/skills/clerk/SKILL.md`
424 
425### Docker Skill
426- Mount `.env` file, never copy secrets to image
427- Use `varlock run` as entrypoint
428- See: `~/.claude/skills/docker/SKILL.md`
429 
430---
431 
432*Last updated: December 22, 2025*
433*Secure-by-default environment management for Claude Code*
434

Full transparency — inspect the skill content before installing.