[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-ef16241e-a599-4859-a185-5665f4d9c90a":3,"$fq3kROERNjJ0HqJViH3qsQLCaBIyeMdO2A2hW6sBtwpo":42},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":33},"ef16241e-a599-4859-a185-5665f4d9c90a","varlock","默认安全的环境变量管理，适用于Claude Code会话。","cat_coding_backend","mod_coding","sickn33,coding","---\nname: varlock\ndescription: \"Secure-by-default environment variable management for Claude Code sessions.\"\nrisk: critical\nsource: \"https:\u002F\u002Fgithub.com\u002Fdmno-dev\u002Fvarlock\"\nversion: 1.0.0\n---\n\n\u003C!-- security-allowlist: curl-pipe-bash -->\n\n# Varlock Security Skill\n\nSecure-by-default environment variable management for Claude Code sessions.\n\n> **Repository**: https:\u002F\u002Fgithub.com\u002Fdmno-dev\u002Fvarlock\n> **Documentation**: https:\u002F\u002Fvarlock.dev\n\n## When to Use\n- You need to work with environment variables or secrets in a Claude Code session without exposing their values.\n- The task involves validating, loading, or auditing secrets while keeping them out of logs, diffs, and assistant context.\n- You want a secure-by-default workflow built around Varlock instead of direct `.env` inspection.\n\n## Core Principle: Secrets Never Exposed\n\nWhen working with Claude, secrets must NEVER appear in:\n- Terminal output\n- Claude's input\u002Foutput context\n- Log files or traces\n- Git commits or diffs\n- Error messages\n\nThis skill ensures all sensitive data is properly protected.\n\n---\n\n## CRITICAL: Security Rules for Claude\n\n### Rule 1: Never Echo Secrets\n\n```bash\n# ❌ NEVER DO THIS - exposes secret to Claude's context\necho $CLERK_SECRET_KEY\ncat .env | grep SECRET\nprintenv | grep API\n\n# ✅ DO THIS - validates without exposing\nvarlock load --quiet && echo \"✓ Secrets validated\"\n```\n\n### Rule 2: Never Read .env Directly\n\n```bash\n# ❌ NEVER DO THIS - exposes all secrets\ncat .env\nless .env\nRead tool on .env file\n\n# ✅ DO THIS - read schema (safe) not values\ncat .env.schema\nvarlock load  # Shows masked values\n```\n\n### Rule 3: Use Varlock for Validation\n\n```bash\n# ❌ NEVER DO THIS - exposes secret in error\ntest -n \"$API_KEY\" && echo \"Key: $API_KEY\"\n\n# ✅ DO THIS - Varlock validates and masks\nvarlock load\n# Output shows: API_KEY 🔐sensitive └ ▒▒▒▒▒\n```\n\n### Rule 4: Never Include Secrets in Commands\n\n```bash\n# ❌ NEVER DO THIS - secret in command history\ncurl -H \"Authorization: Bearer sk_live_xxx\" https:\u002F\u002Fapi.example.com\n\n# ✅ DO THIS - use environment variable\ncurl -H \"Authorization: Bearer $API_KEY\" https:\u002F\u002Fapi.example.com\n# Or better: varlock run -- curl ...\n```\n\n---\n\n## Quick Start\n\n### Installation\n\n```bash\n# Install Varlock CLI\ncurl -sSfL https:\u002F\u002Fvarlock.dev\u002Finstall.sh | sh -s -- --force-no-brew\n\n# Add to PATH (add to ~\u002F.zshrc or ~\u002F.bashrc)\nexport PATH=\"$HOME\u002F.varlock\u002Fbin:$PATH\"\n\n# Verify\nvarlock --version\n```\n\n### Initialize Project\n\n```bash\n# Create .env.schema from existing .env\nvarlock init\n\n# Or create manually\ntouch .env.schema\n```\n\n---\n\n## Schema File: .env.schema\n\nThe schema defines types, validation, and sensitivity for each variable.\n\n### Basic Structure\n\n```bash\n# Global defaults\n# @defaultSensitive=true @defaultRequired=infer\n\n# Application\n# @type=enum(development,staging,production) @sensitive=false\nNODE_ENV=development\n\n# @type=port @sensitive=false\nPORT=3000\n\n# Database - SENSITIVE\n# @type=url @required\nDATABASE_URL=\n\n# @type=string @required @sensitive\nDATABASE_PASSWORD=\n\n# API Keys - SENSITIVE\n# @type=string(startsWith=sk_) @required @sensitive\nSTRIPE_SECRET_KEY=\n\n# @type=string(startsWith=pk_) @sensitive=false\nSTRIPE_PUBLISHABLE_KEY=\n```\n\n### Security Annotations\n\n| Annotation | Effect | Use For |\n|------------|--------|---------|\n| `@sensitive` | Redacted in all output | API keys, passwords, tokens |\n| `@sensitive=false` | Shown in logs | Public keys, non-secret config |\n| `@defaultSensitive=true` | All vars sensitive by default | High-security projects |\n\n### Type Annotations\n\n| Type | Validates | Example |\n|------|-----------|---------|\n| `string` | Any string | `@type=string` |\n| `string(startsWith=X)` | Prefix validation | `@type=string(startsWith=sk_)` |\n| `string(contains=X)` | Substring validation | `@type=string(contains=+clerk_test)` |\n| `url` | Valid URL | `@type=url` |\n| `port` | 1-65535 | `@type=port` |\n| `boolean` | true\u002Ffalse | `@type=boolean` |\n| `enum(a,b,c)` | One of values | `@type=enum(dev,prod)` |\n\n---\n\n## Safe Commands for Claude\n\n### Validating Environment\n\n```bash\n# Check all variables (safe - masks sensitive values)\nvarlock load\n\n# Quiet mode (no output on success)\nvarlock load --quiet\n\n# Check specific environment\nvarlock load --env=production\n```\n\n### Running Commands with Secrets\n\n```bash\n# Inject validated env into command\nvarlock run -- npm start\nvarlock run -- node script.js\nvarlock run -- pytest\n\n# Secrets are available to the command but never printed\n```\n\n### Checking Schema (Safe)\n\n```bash\n# Schema is safe to read - contains no values\ncat .env.schema\n\n# List expected variables\ngrep \"^[A-Z]\" .env.schema\n```\n\n---\n\n## Common Patterns\n\n### Pattern 1: Validate Before Operations\n\n```bash\n# Always validate environment first\nvarlock load --quiet || {\n  echo \"❌ Environment validation failed\"\n  exit 1\n}\n\n# Then proceed with operation\nnpm run build\n```\n\n### Pattern 2: Safe Secret Rotation\n\n```bash\n# 1. Update secret in external source (1Password, AWS, etc.)\n# 2. Update .env file manually (don't use Claude for this)\n# 3. Validate new value works\nvarlock load\n\n# 4. If using GitHub Secrets, sync (values not shown)\n.\u002Fscripts\u002Fupdate-github-secrets.sh\n```\n\n### Pattern 3: CI\u002FCD Integration\n\n```yaml\n# GitHub Actions - secrets from GitHub Secrets\n- name: Validate environment\n  env:\n    DATABASE_URL: ${{ secrets.DATABASE_URL }}\n    API_KEY: ${{ secrets.API_KEY }}\n  run: varlock load --quiet\n```\n\n### Pattern 4: Docker Integration\n\n```dockerfile\n# Install Varlock in container\nRUN curl -sSfL https:\u002F\u002Fvarlock.dev\u002Finstall.sh | sh -s -- --force-no-brew \\\n    && ln -s \u002Froot\u002F.varlock\u002Fbin\u002Fvarlock \u002Fusr\u002Flocal\u002Fbin\u002Fvarlock\n\n# Validate at container start\nCMD [\"varlock\", \"run\", \"--\", \"npm\", \"start\"]\n```\n\n---\n\n## Handling Secret-Related Tasks\n\n### When User Asks to \"Check if API key is set\"\n\n```bash\n# ✅ Safe approach\nvarlock load 2>&1 | grep \"API_KEY\"\n# Shows: ✅ API_KEY 🔐sensitive └ ▒▒▒▒▒\n\n# ❌ Never do\necho $API_KEY\n```\n\n### When User Asks to \"Debug authentication\"\n\n```bash\n# ✅ Safe approach - check presence and format\nvarlock load  # Validates types and required fields\n\n# Check if key has correct prefix (without showing value)\nvarlock load 2>&1 | grep -E \"(CLERK|AUTH)\"\n\n# ❌ Never do\nprintenv | grep KEY\n```\n\n### When User Asks to \"Update a secret\"\n\n```\nClaude should respond:\n\"I cannot directly modify secrets for security reasons. Please:\n1. Update the value in your .env file manually\n2. Or update in your secrets manager (1Password, AWS, etc.)\n3. Then run `varlock load` to validate\n\nI can help you update the .env.schema if you need to add new variables.\"\n```\n\n### When User Asks to \"Show me the .env file\"\n\n```\nClaude should respond:\n\"I won't read .env files directly as they contain secrets. Instead:\n- Run `varlock load` to see masked values\n- Run `cat .env.schema` to see the schema (safe)\n- I can help you modify .env.schema if needed\"\n```\n\n---\n\n## External Secret Sources\n\n### 1Password Integration\n\n```bash\n# In .env.schema\n# @type=string @sensitive\nAPI_KEY=exec('op read \"op:\u002F\u002Fvault\u002Fitem\u002Ffield\"')\n```\n\n### AWS Secrets Manager\n\n```bash\n# In .env.schema\n# @type=string @sensitive\nDB_PASSWORD=exec('aws secretsmanager get-secret-value --secret-id prod\u002Fdb')\n```\n\n### Environment-Specific Values\n\n```bash\n# In .env.schema\n# @type=url\nAPI_URL=env('API_URL_${NODE_ENV}', 'http:\u002F\u002Flocalhost:3000')\n```\n\n---\n\n## Troubleshooting\n\n### \"varlock: command not found\"\n\n```bash\n# Check installation\nls ~\u002F.varlock\u002Fbin\u002Fvarlock\n\n# Add to PATH\nexport PATH=\"$HOME\u002F.varlock\u002Fbin:$PATH\"\n\n# Or use full path\n~\u002F.varlock\u002Fbin\u002Fvarlock load\n```\n\n### \"Schema validation failed\"\n\n```bash\n# Check which variables are missing\u002Finvalid\nvarlock load  # Shows detailed errors\n\n# Common fixes:\n# - Add missing required variables to .env\n# - Fix type mismatches (port must be number)\n# - Check string prefixes match schema\n```\n\n### \"Sensitive value exposed in logs\"\n\n```bash\n# 1. Rotate the exposed secret immediately\n# 2. Check .env.schema has @sensitive annotation\n# 3. Ensure using varlock commands, not echo\u002Fcat\n\n# Add missing sensitivity:\n# Before: API_KEY=\n# After:  # @type=string @sensitive\n#         API_KEY=\n```\n\n---\n\n## npm Scripts\n\nAdd these to your package.json:\n\n```json\n{\n  \"scripts\": {\n    \"env:validate\": \"varlock load\",\n    \"env:check\": \"varlock load --quiet || echo 'Environment validation failed'\",\n    \"prestart\": \"varlock load --quiet\",\n    \"start\": \"varlock run -- node server.js\"\n  }\n}\n```\n\n---\n\n## Security Checklist for New Projects\n\n- [ ] Install Varlock CLI\n- [ ] Create `.env.schema` with all variables defined\n- [ ] Mark all secrets with `@sensitive` annotation\n- [ ] Add `@defaultSensitive=true` to schema header\n- [ ] Add `.env` to `.gitignore`\n- [ ] Commit `.env.schema` to version control\n- [ ] Add `npm run env:validate` to CI\u002FCD\n- [ ] Document secret rotation procedure\n- [ ] Never use `cat .env` or `echo $SECRET` in Claude sessions\n\n---\n\n## Quick Reference Card\n\n| Task | Safe Command |\n|------|-------------|\n| Validate all env vars | `varlock load` |\n| Quiet validation | `varlock load --quiet` |\n| Run with env | `varlock run -- \u003Ccmd>` |\n| View schema | `cat .env.schema` |\n| Check specific var | `varlock load \\| grep VAR_NAME` |\n\n| Never Do | Why |\n|----------|-----|\n| `cat .env` | Exposes all secrets |\n| `echo $SECRET` | Exposes to Claude context |\n| `printenv \\| grep` | Exposes matching secrets |\n| Read .env with tools | Secrets in Claude's context |\n| Hardcode in commands | In shell history |\n\n---\n\n## Integration with Other Skills\n\n### Clerk Skill\n- Test user passwords are `@sensitive`\n- Test emails are `@sensitive=false` (contain +clerk_test, not secret)\n- See: `~\u002F.claude\u002Fskills\u002Fclerk\u002FSKILL.md`\n\n### Docker Skill\n- Mount `.env` file, never copy secrets to image\n- Use `varlock run` as entrypoint\n- See: `~\u002F.claude\u002Fskills\u002Fdocker\u002FSKILL.md`\n\n---\n\n*Last updated: December 22, 2025*\n*Secure-by-default environment management for Claude Code*\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,89,848,"2026-05-16 13:45:59",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":25,"skillCount":32,"createdAt":26},"后端开发","backend","mdi-server","API、数据库、服务端架构",296,[34],{"id":35,"skillId":4,"version":36,"fileName":37,"fileSize":38,"filePath":39,"fileHash":40,"manifest":41,"createdAt":19},"dc3858d1-3999-406f-9302-c2c267673afd","1.0.0","varlock.zip",4080,"uploads\u002Fskills\u002Fef16241e-a599-4859-a185-5665f4d9c90a\u002Fvarlock.zip","0079a68c96d9737cc8c88d0f720e3e042fe6ee4cc12a3db3fdcc4c9c52fb6a27","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":10224}]",{"code":43,"message":44,"data":45},200,"success",{"items":46,"stats":47,"page":50},[],{"averageRating":48,"totalRatings":48,"ratingCounts":49},0,[48,48,48,48,48],{"limit":51,"offset":48,"hasMore":52,"nextOffset":51,"ratedOnly":16},15,false]