varlock
Secure environment variable management with Varlock. Use when handling secrets, API keys, credentials, or any sensitive configuration. Ensures secrets are never exposed in terminals, logs, traces, or Claude's context. Trigger phrases include "environment variables", "secrets", ".env", "API key", "credentials", "sensitive", "Varlock".
What this skill does
# Varlock Security Skill
Secure-by-default environment variable management for Claude Code sessions.
> **Repository**: https://github.com/dmno-dev/varlock
> **Documentation**: https://varlock.dev
## Core Principle: Secrets Never Exposed
When working with Claude, secrets must NEVER appear in:
- Terminal output
- Claude's input/output context
- Log files or traces
- Git commits or diffs
- Error messages
This skill ensures all sensitive data is properly protected.
---
## CRITICAL: Security Rules for Claude
### Rule 1: Never Echo Secrets
```bash
# ❌ NEVER DO THIS - exposes secret to Claude's context
echo $CLERK_SECRET_KEY
cat .env | grep SECRET
printenv | grep API
# ✅ DO THIS - validates without exposing
varlock load --quiet && echo "✓ Secrets validated"
```
### Rule 2: Never Read .env Directly
```bash
# ❌ NEVER DO THIS - exposes all secrets
cat .env
less .env
Read tool on .env file
# ✅ DO THIS - read schema (safe) not values
cat .env.schema
varlock load # Shows masked values
```
### Rule 3: Use Varlock for Validation
```bash
# ❌ NEVER DO THIS - exposes secret in error
test -n "$API_KEY" && echo "Key: $API_KEY"
# ✅ DO THIS - Varlock validates and masks
varlock load
# Output shows: API_KEY 🔐sensitive └ ▒▒▒▒▒
```
### Rule 4: Never Include Secrets in Commands
```bash
# ❌ NEVER DO THIS - secret in command history
curl -H "Authorization: Bearer sk_live_xxx" https://api.example.com
# ✅ DO THIS - use environment variable
curl -H "Authorization: Bearer $API_KEY" https://api.example.com
# Or better: varlock run -- curl ...
```
---
## Quick Start
### Installation
```bash
# Install Varlock CLI
curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew
# Add to PATH (add to ~/.zshrc or ~/.bashrc)
export PATH="$HOME/.varlock/bin:$PATH"
# Verify
varlock --version
```
### Initialize Project
```bash
# Create .env.schema from existing .env
varlock init
# Or create manually
touch .env.schema
```
---
## Schema File: .env.schema
The schema defines types, validation, and sensitivity for each variable.
### Basic Structure
```bash
# Global defaults
# @defaultSensitive=true @defaultRequired=infer
# Application
# @type=enum(development,staging,production) @sensitive=false
NODE_ENV=development
# @type=port @sensitive=false
PORT=3000
# Database - SENSITIVE
# @type=url @required
DATABASE_URL=
# @type=string @required @sensitive
DATABASE_PASSWORD=
# API Keys - SENSITIVE
# @type=string(startsWith=sk_) @required @sensitive
STRIPE_SECRET_KEY=
# @type=string(startsWith=pk_) @sensitive=false
STRIPE_PUBLISHABLE_KEY=
```
### Security Annotations
| Annotation | Effect | Use For |
|------------|--------|---------|
| `@sensitive` | Redacted in all output | API keys, passwords, tokens |
| `@sensitive=false` | Shown in logs | Public keys, non-secret config |
| `@defaultSensitive=true` | All vars sensitive by default | High-security projects |
### Type Annotations
| Type | Validates | Example |
|------|-----------|---------|
| `string` | Any string | `@type=string` |
| `string(startsWith=X)` | Prefix validation | `@type=string(startsWith=sk_)` |
| `string(contains=X)` | Substring validation | `@type=string(contains=+clerk_test)` |
| `url` | Valid URL | `@type=url` |
| `port` | 1-65535 | `@type=port` |
| `boolean` | true/false | `@type=boolean` |
| `enum(a,b,c)` | One of values | `@type=enum(dev,prod)` |
---
## Safe Commands for Claude
### Validating Environment
```bash
# Check all variables (safe - masks sensitive values)
varlock load
# Quiet mode (no output on success)
varlock load --quiet
# Check specific environment
varlock load --env=production
```
### Running Commands with Secrets
```bash
# Inject validated env into command
varlock run -- npm start
varlock run -- node script.js
varlock run -- pytest
# Secrets are available to the command but never printed
```
### Checking Schema (Safe)
```bash
# Schema is safe to read - contains no values
cat .env.schema
# List expected variables
grep "^[A-Z]" .env.schema
```
---
## Common Patterns
### Pattern 1: Validate Before Operations
```bash
# Always validate environment first
varlock load --quiet || {
echo "❌ Environment validation failed"
exit 1
}
# Then proceed with operation
npm run build
```
### Pattern 2: Safe Secret Rotation
```bash
# 1. Update secret in external source (1Password, AWS, etc.)
# 2. Update .env file manually (don't use Claude for this)
# 3. Validate new value works
varlock load
# 4. If using GitHub Secrets, sync (values not shown)
./scripts/update-github-secrets.sh
```
### Pattern 3: CI/CD Integration
```yaml
# GitHub Actions - secrets from GitHub Secrets
- name: Validate environment
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
API_KEY: ${{ secrets.API_KEY }}
run: varlock load --quiet
```
### Pattern 4: Docker Integration
```dockerfile
# Install Varlock in container
RUN curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew \
&& ln -s /root/.varlock/bin/varlock /usr/local/bin/varlock
# Validate at container start
CMD ["varlock", "run", "--", "npm", "start"]
```
---
## Handling Secret-Related Tasks
### When User Asks to "Check if API key is set"
```bash
# ✅ Safe approach
varlock load 2>&1 | grep "API_KEY"
# Shows: ✅ API_KEY 🔐sensitive └ ▒▒▒▒▒
# ❌ Never do
echo $API_KEY
```
### When User Asks to "Debug authentication"
```bash
# ✅ Safe approach - check presence and format
varlock load # Validates types and required fields
# Check if key has correct prefix (without showing value)
varlock load 2>&1 | grep -E "(CLERK|AUTH)"
# ❌ Never do
printenv | grep KEY
```
### When User Asks to "Update a secret"
```
Claude should respond:
"I cannot directly modify secrets for security reasons. Please:
1. Update the value in your .env file manually
2. Or update in your secrets manager (1Password, AWS, etc.)
3. Then run `varlock load` to validate
I can help you update the .env.schema if you need to add new variables."
```
### When User Asks to "Show me the .env file"
```
Claude should respond:
"I won't read .env files directly as they contain secrets. Instead:
- Run `varlock load` to see masked values
- Run `cat .env.schema` to see the schema (safe)
- I can help you modify .env.schema if needed"
```
---
## External Secret Sources
### 1Password Integration
```bash
# In .env.schema
# @type=string @sensitive
API_KEY=exec('op read "op://vault/item/field"')
```
### AWS Secrets Manager
```bash
# In .env.schema
# @type=string @sensitive
DB_PASSWORD=exec('aws secretsmanager get-secret-value --secret-id prod/db')
```
### Environment-Specific Values
```bash
# In .env.schema
# @type=url
API_URL=env('API_URL_${NODE_ENV}', 'http://localhost:3000')
```
---
## Troubleshooting
### "varlock: command not found"
```bash
# Check installation
ls ~/.varlock/bin/varlock
# Add to PATH
export PATH="$HOME/.varlock/bin:$PATH"
# Or use full path
~/.varlock/bin/varlock load
```
### "Schema validation failed"
```bash
# Check which variables are missing/invalid
varlock load # Shows detailed errors
# Common fixes:
# - Add missing required variables to .env
# - Fix type mismatches (port must be number)
# - Check string prefixes match schema
```
### "Sensitive value exposed in logs"
```bash
# 1. Rotate the exposed secret immediately
# 2. Check .env.schema has @sensitive annotation
# 3. Ensure using varlock commands, not echo/cat
# Add missing sensitivity:
# Before: API_KEY=
# After: # @type=string @sensitive
# API_KEY=
```
---
## npm Scripts
Add these to your package.json:
```json
{
"scripts": {
"env:validate": "varlock load",
"env:check": "varlock load --quiet || echo 'Environment validation failed'",
"prestart": "varlock load --quiet",
"start": "varlock run -- node server.js"
}
}
```
---
## Security Checklist for New Projects
- [ ] Install Varlock CLI
- [ ] Create `.env.schema` with all variables defined
- [ ] Mark all secrets with `@sensitive` annotation
- [ ] Add `@defaultSensitive=true` to Related in Backend & APIs
jfrog
IncludedInteract with the JFrog Platform via the JFrog CLI and REST/GraphQL APIs. Use this skill when the user wants to manage Artifactory repositories, upload or download artifacts, manage builds, configure permissions, manage users and groups, work with access tokens, configure JFrog CLI servers, search artifacts, manage properties, set up replication, manage JFrog Projects, run security audits or scans, look up CVE details, query exposures scan results from JFrog Advanced Security, manage release bundles and lifecycle operations, aggregate or export platform data, or perform any JFrog Platform administration task. Also use when the user mentions jf, jfrog, artifactory, xray, distribution, evidence, apptrust, onemodel, graphql, workers, mission control, curation, advanced security, exposures, or any JFrog product name.
cupynumeric-migration-readiness
IncludedPre-migration readiness assessor for porting NumPy to cuPyNumeric. Use BEFORE substantial porting work begins when the user asks whether code will scale on GPU, whether they should migrate to cuPyNumeric, which NumPy patterns transfer cleanly, what must be refactored before porting, or mentions pre-port assessment, scaling analysis, or refactor planning. Inspect the user's source code, look up NumPy usage, cross-reference the cuPyNumeric API support manifest, and distinguish distributed-scaling-friendly patterns from blockers such as unsupported APIs, scalar synchronization, host round-trips, Python/object-heavy control flow, shape/data-dependent branching, and in-place mutation hazards. Produce a verdict of READY, LIGHT REFACTOR, SIGNIFICANT REFACTOR, or NOT RECOMMENDED, with concrete refactor pointers.
alibabacloud-data-agent-skill
IncludedInvoke Alibaba Cloud Apsara Data Agent for Analytics via CLI to perform natural language-driven data analysis on enterprise databases. Data Agent for Analytics is an intelligent data analysis agent developed by Alibaba Cloud Database team for enterprise users. It automatically completes requirement analysis, data understanding, analysis insights, and report generation based on natural language descriptions. This tool supports: discovering data resources (instances/databases/tables) managed in DMS, initiating query or deep analysis sessions, real-time progress tracking, and retrieving analysis conclusions and generated reports. Use this Skill when users need to query databases, analyze data trends, generate data reports, ask questions in natural language, or mention "Data Agent", "data analysis", "database query", "SQL analysis", "data insights".
token-optimizer
IncludedReduce OpenClaw token usage and API costs through smart model routing, heartbeat optimization, budget tracking, and native 2026.2.15 features (session pruning, bootstrap size limits, cache TTL alignment). Use when token costs are high, API rate limits are being hit, or hosting multiple agents at scale. The 4 executable scripts (context_optimizer, model_router, heartbeat_optimizer, token_tracker) are local-only — no network requests, no subprocess calls, no system modifications. Reference files (PROVIDERS.md, config-patches.json) document optional multi-provider strategies that require external API keys and network access if you choose to use them. See SECURITY.md for full breakdown.
resend-cli
IncludedUse this skill when the task is specifically about operating Resend from an AI agent, terminal session, or CI job via the official resend CLI: installing/authenticating the CLI, sending/listing/updating/cancelling emails, batch sends, domains and DNS, webhooks and local listeners, inbound receiving, contacts, topics, segments, broadcasts, templates, API keys, profiles, or debugging Resend CLI/API failures. Trigger on mentions of Resend CLI, `resend`, `resend doctor`, `resend emails send`, `resend domains`, `resend webhooks listen`, `resend emails receiving`, or agent-friendly terminal automation.
alibabacloud-odps-maxframe-coding
IncludedUse this skill for MaxFrame SDK development and documentation navigation on Alibaba Cloud MaxCompute (ODPS). Helps answer MaxFrame API, concept, official example, and supported pandas API questions; create data processing programs; read/write MaxCompute tables; debug jobs (remote or local); and build custom DPE runtime images. Trigger when users mention MaxFrame, MaxCompute with MaxFrame, ODPS table processing, DPE runtime, MaxFrame docs/examples, DataFrame/Tensor operations, or GPU runtime setup. Works for both English and Chinese queries about Alibaba Cloud data processing with MaxFrame.