Skip to main content

varlock

Manages environment variables securely in Claude Code sessions, ensuring sensitive data remains protected and never exposed.

Install this skill

or
0/100

Security score

The varlock skill was audited on May 14, 2026 and we found 54 security issues across 4 threat categories, including 4 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

high line 314

Direct command execution function call

SourceSKILL.md
314API_KEY=exec('op read "op://vault/item/field"')
high line 322

Direct command execution function call

SourceSKILL.md
322DB_PASSWORD=exec('aws secretsmanager get-secret-value --secret-id prod/db')
medium line 235

Template literal with variable interpolation in command context

SourceSKILL.md
235```yaml
medium line 327

Template literal with variable interpolation in command context

SourceSKILL.md
327```bash
high line 93

Piping content to sh shell

SourceSKILL.md
93curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew
high line 248

Piping content to sh shell

SourceSKILL.md
248RUN curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew \
medium line 78

Curl to non-GitHub URL

SourceSKILL.md
78curl -H "Authorization: Bearer sk_live_xxx" https://api.example.com
medium line 81

Curl to non-GitHub URL

SourceSKILL.md
81curl -H "Authorization: Bearer $API_KEY" https://api.example.com
medium line 93

Curl to non-GitHub URL

SourceSKILL.md
93curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew
medium line 248

Curl to non-GitHub URL

SourceSKILL.md
248RUN curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew \
low line 95

Access to hidden dotfiles in home directory

SourceSKILL.md
95# Add to PATH (add to ~/.zshrc or ~/.bashrc)
low line 341

Access to hidden dotfiles in home directory

SourceSKILL.md
341ls ~/.varlock/bin/varlock
low line 347

Access to hidden dotfiles in home directory

SourceSKILL.md
347~/.varlock/bin/varlock load
medium line 433

Access to hidden dotfiles in home directory

SourceSKILL.md
433- See: `~/.claude/skills/clerk/SKILL.md`
medium line 438

Access to hidden dotfiles in home directory

SourceSKILL.md
438- See: `~/.claude/skills/docker/SKILL.md`
medium line 249

Access to root home directory

SourceSKILL.md
249&& ln -s /root/.varlock/bin/varlock /usr/local/bin/varlock
medium line 21

Access to .env file

SourceSKILL.md
21- You want a secure-by-default workflow built around Varlock instead of direct `.env` inspection.
low line 43

Access to .env file

SourceSKILL.md
43cat .env | grep SECRET
medium line 50

Access to .env file

SourceSKILL.md
50### Rule 2: Never Read .env Directly
low line 54

Access to .env file

SourceSKILL.md
54cat .env
low line 55

Access to .env file

SourceSKILL.md
55less .env
low line 56

Access to .env file

SourceSKILL.md
56Read tool on .env file
low line 59

Access to .env file

SourceSKILL.md
59cat .env.schema
low line 105

Access to .env file

SourceSKILL.md
105# Create .env.schema from existing .env
low line 109

Access to .env file

SourceSKILL.md
109touch .env.schema
medium line 114

Access to .env file

SourceSKILL.md
114## Schema File: .env.schema
low line 198

Access to .env file

SourceSKILL.md
198cat .env.schema
low line 201

Access to .env file

SourceSKILL.md
201grep "^[A-Z]" .env.schema
low line 225

Access to .env file

SourceSKILL.md
225# 2. Update .env file manually (don't use Claude for this)
low line 288

Access to .env file

SourceSKILL.md
2881. Update the value in your .env file manually
low line 292

Access to .env file

SourceSKILL.md
292I can help you update the .env.schema if you need to add new variables."
medium line 295

Access to .env file

SourceSKILL.md
295### When User Asks to "Show me the .env file"
low line 299

Access to .env file

SourceSKILL.md
299"I won't read .env files directly as they contain secrets. Instead:
low line 301

Access to .env file

SourceSKILL.md
301- Run `cat .env.schema` to see the schema (safe)
low line 302

Access to .env file

SourceSKILL.md
302- I can help you modify .env.schema if needed"
low line 312

Access to .env file

SourceSKILL.md
312# In .env.schema
low line 320

Access to .env file

SourceSKILL.md
320# In .env.schema
low line 328

Access to .env file

SourceSKILL.md
328# In .env.schema
low line 357

Access to .env file

SourceSKILL.md
357# - Add missing required variables to .env
low line 366

Access to .env file

SourceSKILL.md
366# 2. Check .env.schema has @sensitive annotation
medium line 397

Access to .env file

SourceSKILL.md
397- [ ] Create `.env.schema` with all variables defined
medium line 400

Access to .env file

SourceSKILL.md
400- [ ] Add `.env` to `.gitignore`
medium line 401

Access to .env file

SourceSKILL.md
401- [ ] Commit `.env.schema` to version control
medium line 404

Access to .env file

SourceSKILL.md
404- [ ] Never use `cat .env` or `echo $SECRET` in Claude sessions
medium line 415

Access to .env file

SourceSKILL.md
415| View schema | `cat .env.schema` |
medium line 420

Access to .env file

SourceSKILL.md
420| `cat .env` | Exposes all secrets |
medium line 423

Access to .env file

SourceSKILL.md
423| Read .env with tools | Secrets in Claude's context |
medium line 436

Access to .env file

SourceSKILL.md
436- Mount `.env` file, never copy secrets to image
low line 16

External URL reference

SourceSKILL.md
16> **Documentation**: https://varlock.dev
low line 78

External URL reference

SourceSKILL.md
78curl -H "Authorization: Bearer sk_live_xxx" https://api.example.com
low line 81

External URL reference

SourceSKILL.md
81curl -H "Authorization: Bearer $API_KEY" https://api.example.com
low line 93

External URL reference

SourceSKILL.md
93curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew
low line 248

External URL reference

SourceSKILL.md
248RUN curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew \
low line 330

External URL reference

SourceSKILL.md
330API_URL=env('API_URL_${NODE_ENV}', 'http://localhost:3000')
Scanned on May 14, 2026
View Security Dashboard
Installation guide →
GitHub Stars 37.5K
Rate this skill
Categorydevelopment
UpdatedMay 20, 2026
claude-codeapidevopsdevops-srebackend-developersecurity-engineerdevelopment
sickn33/antigravity-awesome-skills