Environment Variables
Establishes secure management patterns for environment variables and secrets across project environments, enhancing security and compliance.
Install this skill
Security score
The Environment Variables skill was audited on Mar 1, 2026 and we found 88 security issues across 5 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 359 | (err) => `${err.path.join('.')}: ${err.message}` |
Template literal with variable interpolation in command context
| 362 | `Environment variable validation failed:\n${errorMessages.join('\n')}` |
Template literal with variable interpolation in command context
| 421 | baseUrl: env.API_BASE_URL || `${env.NEXT_PUBLIC_APP_URL}/api`, |
Template literal with variable interpolation in command context
| 492 | `Missing required environment variables: ${missing.join(', ')}` |
Template literal with variable interpolation in command context
| 700 | console.log(`${colors[color]}${message}${colors.reset}`); |
Template literal with variable interpolation in command context
| 717 | colorLog(`✅ ${file} exists`, 'green'); |
Template literal with variable interpolation in command context
| 719 | colorLog(`❌ ${file} missing`, 'red'); |
Template literal with variable interpolation in command context
| 741 | colorLog(`⚠️ ${file} exists (should not be committed)`, 'yellow'); |
Template literal with variable interpolation in command context
| 744 | colorLog(`ℹ️ ${file} not found (expected for local development)`, 'cyan'); |
Template literal with variable interpolation in command context
| 786 | colorLog(`✅ ${pattern} is ignored`, 'green'); |
Template literal with variable interpolation in command context
| 788 | colorLog(`❌ ${pattern} is not ignored`, 'red'); |
Template literal with variable interpolation in command context
| 818 | colorLog(`❌ Check failed with error: ${error.message}`, 'red'); |
Template literal with variable interpolation in command context
| 825 | colorLog(`✅ Passed: ${passed}`, 'green'); |
Template literal with variable interpolation in command context
| 826 | colorLog(`❌ Failed: ${failed}`, 'red'); |
Template literal with variable interpolation in command context
| 827 | colorLog(`📈 Success Rate: ${((passed / (passed + failed)) * 100).toFixed(1)}%`, |
Template literal with variable interpolation in command context
| 887 | src={`https://www.googletagmanager.com/gtag/js?id=${NEXT_PUBLIC_GOOGLE_ANALYTICS_ID}`} |
Template literal with variable interpolation in command context
| 891 | __html: ` |
Template literal with variable interpolation in command context
| 963 | console.log(`[LOG] ${message}`, data); |
Node child_process module reference
| 685 | const { execSync } = require('child_process'); |
Webhook reference - potential data exfiltration
| 105 | STRIPE_WEBHOOK_SECRET= |
Webhook reference - potential data exfiltration
| 234 | STRIPE_WEBHOOK_SECRET=whsec_your_webhook_secret |
Webhook reference - potential data exfiltration
| 311 | STRIPE_WEBHOOK_SECRET: z.string().min(1).optional(), |
Webhook reference - potential data exfiltration
| 431 | webhookSecret: env.STRIPE_WEBHOOK_SECRET, |
Access to .env file
| 57 | mkdir -p .env.example |
Access to .env file
| 58 | mkdir -p .env.local.example |
Access to .env file
| 59 | mkdir -p .env.development.example |
Access to .env file
| 60 | mkdir -p .env.test.example |
Access to .env file
| 61 | mkdir -p .env.production.example |
Access to .env file
| 66 | Create `.env.example`: |
Access to .env file
| 148 | Create `.env.development.example`: |
Access to .env file
| 152 | # Copy this to .env.development.local |
Access to .env file
| 177 | Create `.env.test.example`: |
Access to .env file
| 181 | # Copy this to .env.test.local |
Access to .env file
| 201 | Create `.env.production.example`: |
Access to .env file
| 205 | # Copy this to .env.production.local |
Access to .env file
| 355 | return envSchema.parse(process.env); |
Access to .env file
| 459 | return process.env.NODE_ENV === 'development'; |
Access to .env file
| 463 | return process.env.NODE_ENV === 'production'; |
Access to .env file
| 467 | return process.env.NODE_ENV === 'test'; |
Access to .env file
| 488 | const missing = requiredVars.filter(varName => !process.env[varName]); |
Access to .env file
| 565 | ...env, |
Access to .env file
| 638 | ### Development (.env.development.local) |
Access to .env file
| 641 | ### Test (.env.test.local) |
Access to .env file
| 644 | ### Production (.env.production.local) |
Access to .env file
| 649 | - Never commit `.env.local` files to version control |
Access to .env file
| 657 | 1. Add the variable to the appropriate `.env.example` file |
Access to .env file
| 666 | 1. Check that you have the correct `.env.local` file |
Access to .env file
| 707 | '.env.example', |
Access to .env file
| 708 | '.env.development.example', |
Access to .env file
| 709 | '.env.test.example', |
Access to .env file
| 710 | '.env.production.example', |
Access to .env file
| 731 | '.env.local', |
Access to .env file
| 732 | '.env.development.local', |
Access to .env file
| 733 | '.env.test.local', |
Access to .env file
| 734 | '.env.production.local', |
Access to .env file
| 776 | '.env.local', |
Access to .env file
| 777 | '.env.development.local', |
Access to .env file
| 778 | '.env.test.local', |
Access to .env file
| 779 | '.env.production.local', |
Access to .env file
| 854 | "env:setup": "cp .env.example .env.local && echo 'Environment variables configured. Please update .env.local with your values.'", |
Access to .env file
| 855 | "env:dev": "cp .env.development.example .env.development.local && echo 'Development environment configured.'", |
Access to .env file
| 856 | "env:test": "cp .env.test.example .env.test.local && echo 'Test environment configured.'", |
Access to .env file
| 857 | "env:prod": "cp .env.production.example .env.production.local && echo 'Production environment configured.'", |
Access to .env file
| 1011 | 1. **Never commit secrets** - Use `.env.local` files |
Hex-encoded characters
| 691 | reset: '\x1b[0m', |
Hex-encoded characters
| 692 | red: '\x1b[31m', |
Hex-encoded characters
| 693 | green: '\x1b[32m', |
Hex-encoded characters
| 694 | yellow: '\x1b[33m', |
Hex-encoded characters
| 695 | blue: '\x1b[34m', |
Hex-encoded characters
| 696 | cyan: '\x1b[36m', |
External URL reference
| 80 | NEXT_PUBLIC_APP_URL=http://localhost:3000 |
External URL reference
| 85 | API_BASE_URL=http://localhost:3000/api |
External URL reference
| 132 | CORS_ORIGIN=http://localhost:3000 |
External URL reference
| 155 | NEXT_PUBLIC_SUPABASE_URL=http://localhost:54321 |
External URL reference
| 161 | NEXTAUTH_URL=http://localhost:3000 |
External URL reference
| 164 | NEXT_PUBLIC_APP_URL=http://localhost:3000 |
External URL reference
| 184 | NEXT_PUBLIC_SUPABASE_URL=http://localhost:54323 |
External URL reference
| 189 | NEXTAUTH_URL=http://localhost:3000 |
External URL reference
| 192 | NEXT_PUBLIC_APP_URL=http://localhost:3000 |
External URL reference
| 208 | NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co |
External URL reference
| 214 | NEXTAUTH_URL=https://your-domain.com |
External URL reference
| 217 | NEXT_PUBLIC_APP_URL=https://your-domain.com |
External URL reference
| 224 | NEXT_PUBLIC_SENTRY_DSN=https://your-sentry-dsn |
External URL reference
| 237 | NEXT_PUBLIC_STORAGE_URL=https://your-storage.s3.amazonaws.com |
External URL reference
| 254 | LOGROCKET_URL=https://your-logrocket-url |
External URL reference
| 257 | CORS_ORIGIN=https://your-domain.com |
External URL reference
| 262 | VERCEL_URL=https://your-domain.com |
External URL reference
| 887 | src={`https://www.googletagmanager.com/gtag/js?id=${NEXT_PUBLIC_GOOGLE_ANALYTICS_ID}`} |
Install this skill with one command
/learn @coverage-creatives/environment-variables