varlock

# Varlock Security Skill Secure-by-default environment variable management for Claude Code sessions. > **Repository**: https://github.com/dmno-dev/varlock > **Documentation**: https://varlock.dev ## Core Principle: Secrets Never Exposed When working with Claude, secrets must NEVER appear in: - Terminal output - Claude's input/output context - Log files or traces - Git commits or diffs - Error messages This skill ensures all sensitive data is properly protected. --- ## CRITICAL: Security Rules for Claude ### Rule 1: Never Echo Secrets ```bash # ❌ NEVER DO THIS - exposes secret to Claude's context echo $CLERK_SECRET_KEY cat .env | grep SECRET printenv | grep API # ✅ DO THIS - validates without exposing varlock load --quiet && echo "✓ Secrets validated" ``` ### Rule 2: Never Read .env Directly ```bash # ❌ NEVER DO THIS - exposes all secrets cat .env less .env Read tool on .env file # ✅ DO THIS - read schema (safe) not values cat .env.schema varlock load # Shows masked values ``` ### Rule 3: Use Varlock for Validation ```bash # ❌ NEVER DO THIS - exposes secret in error test -n "$API_KEY" && echo "Key: $API_KEY" # ✅ DO THIS - Varlock validates and masks varlock load # Output shows: API_KEY 🔐sensitive └ ▒▒▒▒▒ ``` ### Rule 4: Never Include Secrets in Commands ```bash # ❌ NEVER DO THIS - secret in command history curl -H "Authorization: Bearer sk_live_xxx" https://api.example.com # ✅ DO THIS - use environment variable curl -H "Authorization: Bearer $API_KEY" http...