Skip to content

wrsmith108/varlock-claude-skill

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.claude-plugin
.claude-plugin
 
 
skills/varlock
skills/varlock
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Varlock Skill for Claude Code

Secure-by-default environment variable management. Ensures secrets are never exposed in Claude sessions.

Why This Skill?

When working with Claude Code, secrets can accidentally leak into:

  • Terminal output
  • Claude's input/output context
  • Log files or traces
  • Git commits or diffs

This skill wraps Varlock to enforce secure patterns and prevent accidental exposure.

Installation

Option A: One-liner (Recommended)

mkdir -p ~/.claude/skills/varlock && curl -sSL https://raw.githubusercontent.com/wrsmith108/varlock-claude-skill/main/skills/varlock/SKILL.md -o ~/.claude/skills/varlock/SKILL.md

Option B: Manual

git clone https://github.com/wrsmith108/varlock-claude-skill /tmp/varlock-skill
cp -r /tmp/varlock-skill/skills/varlock ~/.claude/skills/
rm -rf /tmp/varlock-skill

Prerequisites

Install the Varlock CLI:

curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew
export PATH="$HOME/.varlock/bin:$PATH"

Core Principle

Secrets must NEVER appear in Claude's context.

Never Do Safe Alternative
cat .env cat .env.schema
echo $SECRET varlock load
printenv | grep API varlock load | grep API

Quick Reference

# Validate all secrets (shows masked values)
varlock load

# Quiet validation (no output on success)
varlock load --quiet

# Run command with secrets injected
varlock run -- npm start

# View schema (safe - no values)
cat .env.schema

Schema File

Create .env.schema to define variable types and sensitivity:

# Global defaults
# @defaultSensitive=true @defaultRequired=infer

# Public config
# @type=enum(development,staging,production) @sensitive=false
NODE_ENV=development

# Sensitive secrets
# @type=string(startsWith=sk_) @required @sensitive
STRIPE_SECRET_KEY=

# @type=url @required @sensitive
DATABASE_URL=

Annotations

Annotation Effect
@sensitive Value masked in all output
@sensitive=false Value shown (for public keys)
@required Must be present
@type=string(startsWith=X) Prefix validation

Handling Secret Requests

When users ask Claude to:

  • "Check if API key is set"varlock load | grep API_KEY
  • "Debug authentication"varlock load (validates all)
  • "Update a secret" → Decline; ask user to update manually
  • "Show me .env"cat .env.schema instead

Credits

This skill wraps Varlock by DMNO.

License

MIT

About

Claude Code skill for secure environment variable management with Varlock. Never expose secrets in Claude sessions.

Topics

security environment-variables claude-code claude-skills claude-code-skills

Resources

Readme

License

MIT license
Activity

Stars

12 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors