varlock

The Varlock skill concept is coherent with its stated purpose of protecting secrets in Claude sessions. However, the footprint presents notable security concerns: (1) installation via an unverified, download-and-execute script from an external domain; (2) potential for secret retrieval through external secret sources (exec-based patterns) that could be misused if not tightly sandboxed; and (3) reliance on masking while guaranteeing no leakage requires stringent runtime guarantees across all execution contexts (local, CI, and Claude). Given these factors, the skill is SUSPICIOUS to HIGH risk (securityRisk approximately 0.8) due to supply-chain and credential-handling concerns, even though its intent is legitimate. Recommend migrating installation to a verifiable registry with cryptographic checks, adding explicit lockfiles or pinned releases, and validating all external secret integrations with strict sandboxing and least-privilege execution.