dotenvx
Manages secure environment variables with encryption, enabling safe version control and multi-environment configuration.
Install this skill
Security score
The dotenvx skill was audited on Feb 9, 2026 and we found 98 security issues across 4 threat categories, including 3 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 334 | ```yaml |
Template literal with variable interpolation in command context
| 344 | ```yaml |
Template literal with variable interpolation in command context
| 406 | ```bash |
Piping content to sh shell
| 110 | curl -sfS https://dotenvx.sh | sh |
Piping content to sh shell
| 323 | RUN curl -sfS https://dotenvx.sh | sh |
Piping content to sh shell
| 355 | run: curl -sfS https://dotenvx.sh | sh |
Curl to non-GitHub URL
| 110 | curl -sfS https://dotenvx.sh | sh |
Curl to non-GitHub URL
| 323 | RUN curl -sfS https://dotenvx.sh | sh |
Curl to non-GitHub URL
| 355 | run: curl -sfS https://dotenvx.sh | sh |
Access to .env file
| 4 | description: dotenvx - secure environment variable management with encryption. Use for encrypting .env files, multi-environment configuration, cross-platform secret management, and migrating from plai |
Access to .env file
| 11 | **Core Value Proposition**: Encrypt your .env files so they can be safely committed to git, while keeping decryption keys separate and secure. |
Access to .env file
| 17 | - Encrypting .env files for version control |
Access to .env file
| 19 | - Migrating from plaintext .env to encrypted secrets |
Access to .env file
| 36 | Traditional `.env` files are plaintext - if committed to git or exposed, all secrets are compromised. dotenvx solves this by: |
Access to .env file
| 49 | .env (plaintext) .env.keys (NEVER commit) |
Access to .env file
| 71 | │ private key │ - .env.keys file |
Access to .env file
| 77 | │ process.env.HELLO│ |
Access to .env file
| 86 | | `.env` | Development environment variables | ✅ Yes (when encrypted) | |
Access to .env file
| 87 | | `.env.production` | Production environment variables | ✅ Yes (when encrypted) | |
Access to .env file
| 88 | | `.env.keys` | Private decryption keys | ❌ Never | |
Access to .env file
| 89 | | `.env.local` | Local overrides | ❌ No | |
Access to .env file
| 144 | dotenvx run -f .env.production -- node index.js |
Access to .env file
| 147 | dotenvx run -f .env.local -f .env -- node index.js |
Access to .env file
| 156 | ### encrypt - Encrypt .env Files |
Access to .env file
| 158 | Convert plaintext .env to encrypted format: |
Access to .env file
| 161 | # Encrypt default .env file |
Access to .env file
| 165 | dotenvx encrypt -f .env.production |
Access to .env file
| 167 | # Encrypt all .env* files |
Access to .env file
| 168 | dotenvx encrypt -f .env* |
Access to .env file
| 171 | **Result**: Creates/updates `.env.keys` with encryption keys. |
Access to .env file
| 173 | ### decrypt - Decrypt .env Files |
Access to .env file
| 175 | Revert encrypted .env to plaintext: |
Access to .env file
| 178 | # Decrypt default .env file |
Access to .env file
| 182 | dotenvx decrypt -f .env.production |
Access to .env file
| 194 | dotenvx set HELLO production -f .env.production |
Access to .env file
| 207 | dotenvx get HELLO -f .env.production |
Access to .env file
| 220 | dotenvx keypair -f .env.production |
Access to .env file
| 231 | ├── .env # Development (encrypted) |
Access to .env file
| 232 | ├── .env.production # Production (encrypted) |
Access to .env file
| 233 | ├── .env.staging # Staging (encrypted) |
Access to .env file
| 234 | ├── .env.local # Local overrides (not committed) |
Access to .env file
| 235 | ├── .env.keys # All private keys (NEVER commit) |
Access to .env file
| 243 | .env.keys |
Access to .env file
| 246 | .env.local |
Access to .env file
| 247 | .env.*.local |
Access to .env file
| 249 | # DO commit encrypted .env files |
Access to .env file
| 251 | # .env |
Access to .env file
| 252 | # .env.production |
Access to .env file
| 253 | # .env.staging |
Access to .env file
| 261 | # .env.keys after encrypting multiple environments |
Access to .env file
| 262 | DOTENV_PRIVATE_KEY="ec9d6..." # For .env |
Access to .env file
| 263 | DOTENV_PRIVATE_KEY_PRODUCTION="a]c8..." # For .env.production |
Access to .env file
| 264 | DOTENV_PRIVATE_KEY_STAGING="3d5f..." # For .env.staging |
Access to .env file
| 271 | # .env.local → .env.development → .env |
Access to .env file
| 286 | "start": "dotenvx run -f .env.production -- node index.js" |
Access to .env file
| 295 | console.log(process.env.HELLO) |
Access to .env file
| 310 | "build": "dotenvx run -f .env.production -- next build", |
Access to .env file
| 311 | "start": "dotenvx run -f .env.production -- next start" |
Access to .env file
| 360 | run: dotenvx run -f .env.production -- npm run build |
Access to .env file
| 367 | dotenvx set API_KEY "production-secret" -f .env.production |
Access to .env file
| 373 | # Paste the key from .env.keys |
Access to .env file
| 379 | "buildCommand": "dotenvx run -f .env.production -- npm run build" |
Access to .env file
| 385 | ## .env File Syntax |
Access to .env file
| 433 | #/ public-key encryption for .env files / |
Access to .env file
| 449 | 1. **Never commit `.env.keys`** - Add to `.gitignore` immediately |
Access to .env file
| 461 | dotenvx run -f .env.production -- npm run build |
Access to .env file
| 469 | git add .env |
Access to .env file
| 473 | # Developer 2: Pulls and runs (has .env.keys locally) |
Access to .env file
| 482 | cat .env.keys | pbcopy # Copy to clipboard |
Access to .env file
| 497 | Error: Missing private key for .env.production |
Access to .env file
| 502 | # Option 1: Create/restore .env.keys file |
Access to .env file
| 503 | echo 'DOTENV_PRIVATE_KEY_PRODUCTION="abc123..."' > .env.keys |
Access to .env file
| 516 | dotenvx keypair -f .env.production |
Access to .env file
| 519 | dotenvx decrypt -f .env.production # If you have the right key |
Access to .env file
| 520 | dotenvx encrypt -f .env.production |
Access to .env file
| 527 | dotenvx run --debug -- node -e "console.log(process.env)" |
Access to .env file
| 530 | dotenvx run -f .env.production --verbose -- echo "loaded" |
Access to .env file
| 537 | grep "encrypted:" .env* |
Access to .env file
| 539 | # Ensure matching .env.keys entries |
Access to .env file
| 540 | cat .env.keys |
Access to .env file
| 564 | ### Step 3: Encrypt Existing .env |
Access to .env file
| 567 | # Encrypt current .env file |
Access to .env file
| 571 | cat .env # Should show encrypted: values |
Access to .env file
| 573 | # Save .env.keys somewhere secure! |
Access to .env file
| 574 | cat .env.keys |
Access to .env file
| 583 | "start": "dotenvx run -f .env.production -- node index.js" |
Access to .env file
| 616 | - .env file syntax reference |
External URL reference
| 110 | curl -sfS https://dotenvx.sh | sh |
External URL reference
| 323 | RUN curl -sfS https://dotenvx.sh | sh |
External URL reference
| 355 | run: curl -sfS https://dotenvx.sh | sh |
External URL reference
| 408 | BASE_URL=https://api.example.com |
External URL reference
| 434 | #/ [how it works](https://dotenvx.com/encryption) / |
External URL reference
| 593 | - [dotenvx Docs](https://dotenvx.com/docs/) |
External URL reference
| 595 | - [Encryption Details](https://dotenvx.com/encryption) |
External URL reference
| 598 | - [Vercel Guide](https://dotenvx.com/docs/platforms/vercel) |
External URL reference
| 599 | - [Heroku Guide](https://dotenvx.com/docs/platforms/heroku) |
External URL reference
| 600 | - [Docker Guide](https://dotenvx.com/docs/platforms/docker) |
External URL reference
| 601 | - [GitHub Actions](https://dotenvx.com/docs/cis/github-actions) |