Skip to main content

varlock

Manages environment variables securely in Claude Code sessions, ensuring sensitive data remains protected and never exposed.

Install this skill

or
0/100

Security score

The varlock skill was audited on Jun 10, 2026 and we found 52 security issues across 4 threat categories, including 2 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

high line 320

Direct command execution function call

SourceSKILL.md
320API_KEY=exec('op read "op://vault/item/field"')
high line 328

Direct command execution function call

SourceSKILL.md
328DB_PASSWORD=exec('aws secretsmanager get-secret-value --secret-id prod/db')
medium line 237

Template literal with variable interpolation in command context

SourceSKILL.md
237```yaml
medium line 333

Template literal with variable interpolation in command context

SourceSKILL.md
333```bash
medium line 76

Curl to non-GitHub URL

SourceSKILL.md
76curl -H "Authorization: Bearer sk_live_xxx" https://api.example.com
medium line 79

Curl to non-GitHub URL

SourceSKILL.md
79curl -H "Authorization: Bearer $API_KEY" https://api.example.com
medium line 93

Curl to non-GitHub URL

SourceSKILL.md
93curl -sSfL https://varlock.dev/install.sh -o "$tmpdir/varlock-install.sh"
medium line 251

Curl to non-GitHub URL

SourceSKILL.md
251&& curl -sSfL https://varlock.dev/install.sh -o "$tmpdir/varlock-install.sh" \
low line 97

Access to hidden dotfiles in home directory

SourceSKILL.md
97# Add to PATH (add to ~/.zshrc or ~/.bashrc)
low line 347

Access to hidden dotfiles in home directory

SourceSKILL.md
347ls ~/.varlock/bin/varlock
low line 353

Access to hidden dotfiles in home directory

SourceSKILL.md
353~/.varlock/bin/varlock load
medium line 439

Access to hidden dotfiles in home directory

SourceSKILL.md
439- See: `~/.claude/skills/clerk/SKILL.md`
medium line 444

Access to hidden dotfiles in home directory

SourceSKILL.md
444- See: `~/.claude/skills/docker/SKILL.md`
medium line 255

Access to root home directory

SourceSKILL.md
255&& ln -s /root/.varlock/bin/varlock /usr/local/bin/varlock
medium line 19

Access to .env file

SourceSKILL.md
19- You want a secure-by-default workflow built around Varlock instead of direct `.env` inspection.
low line 41

Access to .env file

SourceSKILL.md
41cat .env | grep SECRET
medium line 48

Access to .env file

SourceSKILL.md
48### Rule 2: Never Read .env Directly
low line 52

Access to .env file

SourceSKILL.md
52cat .env
low line 53

Access to .env file

SourceSKILL.md
53less .env
low line 54

Access to .env file

SourceSKILL.md
54Read tool on .env file
low line 57

Access to .env file

SourceSKILL.md
57cat .env.schema
low line 107

Access to .env file

SourceSKILL.md
107# Create .env.schema from existing .env
low line 111

Access to .env file

SourceSKILL.md
111touch .env.schema
medium line 116

Access to .env file

SourceSKILL.md
116## Schema File: .env.schema
low line 200

Access to .env file

SourceSKILL.md
200cat .env.schema
low line 203

Access to .env file

SourceSKILL.md
203grep "^[A-Z]" .env.schema
low line 227

Access to .env file

SourceSKILL.md
227# 2. Update .env file manually (don't use Claude for this)
low line 294

Access to .env file

SourceSKILL.md
2941. Update the value in your .env file manually
low line 298

Access to .env file

SourceSKILL.md
298I can help you update the .env.schema if you need to add new variables."
medium line 301

Access to .env file

SourceSKILL.md
301### When User Asks to "Show me the .env file"
low line 305

Access to .env file

SourceSKILL.md
305"I won't read .env files directly as they contain secrets. Instead:
low line 307

Access to .env file

SourceSKILL.md
307- Run `cat .env.schema` to see the schema (safe)
low line 308

Access to .env file

SourceSKILL.md
308- I can help you modify .env.schema if needed"
low line 318

Access to .env file

SourceSKILL.md
318# In .env.schema
low line 326

Access to .env file

SourceSKILL.md
326# In .env.schema
low line 334

Access to .env file

SourceSKILL.md
334# In .env.schema
low line 363

Access to .env file

SourceSKILL.md
363# - Add missing required variables to .env
low line 372

Access to .env file

SourceSKILL.md
372# 2. Check .env.schema has @sensitive annotation
medium line 403

Access to .env file

SourceSKILL.md
403- [ ] Create `.env.schema` with all variables defined
medium line 406

Access to .env file

SourceSKILL.md
406- [ ] Add `.env` to `.gitignore`
medium line 407

Access to .env file

SourceSKILL.md
407- [ ] Commit `.env.schema` to version control
medium line 410

Access to .env file

SourceSKILL.md
410- [ ] Never use `cat .env` or `echo $SECRET` in Claude sessions
medium line 421

Access to .env file

SourceSKILL.md
421| View schema | `cat .env.schema` |
medium line 426

Access to .env file

SourceSKILL.md
426| `cat .env` | Exposes all secrets |
medium line 429

Access to .env file

SourceSKILL.md
429| Read .env with tools | Secrets in Claude's context |
medium line 442

Access to .env file

SourceSKILL.md
442- Mount `.env` file, never copy secrets to image
low line 14

External URL reference

SourceSKILL.md
14> **Documentation**: https://varlock.dev
low line 76

External URL reference

SourceSKILL.md
76curl -H "Authorization: Bearer sk_live_xxx" https://api.example.com
low line 79

External URL reference

SourceSKILL.md
79curl -H "Authorization: Bearer $API_KEY" https://api.example.com
low line 93

External URL reference

SourceSKILL.md
93curl -sSfL https://varlock.dev/install.sh -o "$tmpdir/varlock-install.sh"
low line 251

External URL reference

SourceSKILL.md
251&& curl -sSfL https://varlock.dev/install.sh -o "$tmpdir/varlock-install.sh" \
low line 336

External URL reference

SourceSKILL.md
336API_URL=env('API_URL_${NODE_ENV}', 'http://localhost:3000')
Scanned on Jun 10, 2026
View Security Dashboard
Installation guide →
GitHub Stars 39.2K
Rate this skill
Categorydevelopment
UpdatedJune 15, 2026
claudeclaude-codefrontendstripedocxgitapidatabasetestingdevopsbackenddevops-srebackend-developersecurity-engineerdevelopment
sickn33/antigravity-awesome-skills