varlocklisted
Install: claude install-skill Miyamura-sudo/product-builder-starter
# Varlock Security Skill
Secure-by-default environment variable management for Claude Code sessions.
> **Repository**: https://github.com/dmno-dev/varlock
> **Documentation**: https://varlock.dev
## Core Principle: Secrets Never Exposed
When working with Claude, secrets must NEVER appear in:
- Terminal output
- Claude's input/output context
- Log files or traces
- Git commits or diffs
- Error messages
This skill ensures all sensitive data is properly protected.
---
## CRITICAL: Security Rules for Claude
### Rule 1: Never Echo Secrets
```bash
# ❌ NEVER DO THIS - exposes secret to Claude's context
echo $CLERK_SECRET_KEY
cat .env | grep SECRET
printenv | grep API
# ✅ DO THIS - validates without exposing
varlock load --quiet && echo "✓ Secrets validated"
```
### Rule 2: Never Read .env Directly
```bash
# ❌ NEVER DO THIS - exposes all secrets
cat .env
less .env
Read tool on .env file
# ✅ DO THIS - read schema (safe) not values
cat .env.schema
varlock load # Shows masked values
```
### Rule 3: Use Varlock for Validation
```bash
# ❌ NEVER DO THIS - exposes secret in error
test -n "$API_KEY" && echo "Key: $API_KEY"
# ✅ DO THIS - Varlock validates and masks
varlock load
# Output shows: API_KEY 🔐sensitive └ ▒▒▒▒▒
```
### Rule 4: Never Include Secrets in Commands
```bash
# ❌ NEVER DO THIS - secret in command history
curl -H "Authorization: Bearer sk_live_xxx" https://api.example.com
# ✅ DO THIS - use environment variable
curl -H "Authorization: Bearer $API_KEY" http