Varlock is a Claude Code skill that prevents accidental exposure of sensitive environment variables during AI-assisted development sessions. The tool wraps the Varlock CLI to enforce secure patterns when managing secrets, addressing common leak vectors including terminal output, Claude's input/output context, log files or traces, and git commits or diffs.
Key features include safe operations that never expose secret values in plain text. The varlock load command validates secrets with masked output, while varlock run executes commands with injected secrets without displaying them. Schema files (.env.schema) define variable types and sensitivity without exposing actual values.
Powerful schema annotations enable fine-grained control: @sensitive masks values in all output, @sensitive=false shows values for non-secret data like environment names, @required enforces mandatory variables, and type validation supports enums, URLs, and string patterns. This declarative approach documents environment requirements while maintaining security.
The core principle is that secrets must never appear in Claude's context. This prevents AI-assisted development from inadvertently logging, displaying, or including sensitive credentials in generated code, commit messages, or debugging output. The skill enforces this boundary automatically without requiring developers to remember security practices.
Common use cases include development workflows with sensitive API keys or database credentials, Docker container deployments requiring secure entrypoints, integration with authentication services like Clerk, and team environments requiring audit trails for secret access. For Claude Code users, this skill enables secure secret management during AI-assisted development, protecting credentials while maintaining full development productivity through the command line.
