Stats
Actions
Available In
Tags
Plugin
varlock
Securely manage environment variables for secrets, API keys, and credentials using Varlock CLI. Mask sensitive data in terminals, logs, traces, and Claude context to prevent leaks. Validate configurations against .env.schema for robust security in development workflows.
README
Varlock Skill for Claude Code
Secure-by-default environment variable management. Ensures secrets are never exposed in Claude sessions.
Why This Skill?
When working with Claude Code, secrets can accidentally leak into:
- Terminal output
- Claude's input/output context
- Log files or traces
- Git commits or diffs
This skill wraps Varlock to enforce secure patterns and prevent accidental exposure.
Installation
Option A: One-liner (Recommended)
mkdir -p ~/.claude/skills/varlock && curl -sSL https://raw.githubusercontent.com/wrsmith108/varlock-claude-skill/main/skills/varlock/SKILL.md -o ~/.claude/skills/varlock/SKILL.md
Option B: Manual
git clone https://github.com/wrsmith108/varlock-claude-skill /tmp/varlock-skill
cp -r /tmp/varlock-skill/skills/varlock ~/.claude/skills/
rm -rf /tmp/varlock-skill
Prerequisites
Install the Varlock CLI:
curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew
export PATH="$HOME/.varlock/bin:$PATH"
Core Principle
Secrets must NEVER appear in Claude's context.
| Never Do | Safe Alternative |
|---|---|
cat .env | cat .env.schema |
echo $SECRET | varlock load |
printenv | grep API | varlock load | grep API |
Quick Reference
# Validate all secrets (shows masked values)
varlock load
# Quiet validation (no output on success)
varlock load --quiet
# Run command with secrets injected
varlock run -- npm start
# View schema (safe - no values)
cat .env.schema
Schema File
Create .env.schema to define variable types and sensitivity:
# Global defaults
# @defaultSensitive=true @defaultRequired=infer
# Public config
# @type=enum(development,staging,production) @sensitive=false
NODE_ENV=development
# Sensitive secrets
# @type=string(startsWith=sk_) @required @sensitive
STRIPE_SECRET_KEY=
# @type=url @required @sensitive
DATABASE_URL=
Annotations
| Annotation | Effect |
|---|---|
@sensitive | Value masked in all output |
@sensitive=false | Value shown (for public keys) |
@required | Must be present |
@type=string(startsWith=X) | Prefix validation |
Handling Secret Requests
When users ask Claude to:
- "Check if API key is set" →
varlock load | grep API_KEY - "Debug authentication" →
varlock load(validates all) - "Update a secret" → Decline; ask user to update manually
- "Show me .env" →
cat .env.schemainstead
Credits
This skill wraps Varlock by DMNO.
License
MIT
Stats
Version1.0.0
Stars23
MaintenanceGood
LicenseMIT
Last Commit
Added
Tags
Technologies
Categories
