Skills environment-setup

📦

environment-setup

Name: environment-setup
Author: supercent-io

Medium Risk 🔑 Env variables⚙️ External commands

Set up environment variables across dev, staging, and production

Managing environment variables across multiple environments is error-prone and time-consuming. This skill provides templates and best practices for .env files, TypeScript configuration validation, and Docker environment handling so you can set up environments correctly the first time.

Supports: Claude Codex Code(CC)

⚠️ 62 Poor

Download the skill ZIP

Upload in Claude

Go to Settings → Capabilities → Skills → Upload skill

Toggle on and start using

Test it

Using "environment-setup". Create .env template for a Node.js API

Expected outcome:

Generated .env.example with sections for Application, Database, Redis, Authentication, Email (SMTP), External APIs (Stripe), AWS, Monitoring (Sentry), and Feature Flags. Each section includes comments explaining the variable purpose.

Using "environment-setup". Add environment validation with Zod

Expected outcome:

Created config/env.ts with Zod schema that validates DATABASE_URL is a valid URL, JWT secrets are at least 32 characters, SMTP_PORT is a number, and LOG_LEVEL is one of error/warn/info/debug. Throws descriptive errors on validation failure.

Using "environment-setup". Generate .gitignore rules for environment files

Expected outcome:

Added rules to prevent committing .env files: .env, .env.local, .env.*.local, and .env.production. Created .gitignore content block ready to copy into project.

Security Audit

Medium Risk

v1 • 3/19/2026

This skill is a documentation/education resource that provides templates and best practices for environment configuration. Static analysis flagged many patterns (credential examples, dotenv usage, environment variable access) but these are all placeholder examples in documentation, not actual executable code. The skill declares Read Write Edit Bash permissions, which is appropriate for configuration management. No malicious intent detected - all flagged patterns are legitimate documentation content. Users should be aware this skill can modify configuration files.

Files scanned

378

Lines analyzed

findings

Total audits

Medium Risk Issues (2)

SKILL.md:32-56

Educational Documentation Contains Credential Patterns

SKILL.md contains example .env templates with placeholder credentials (DATABASE_URL, AWS keys, SMTP passwords). These are documentation examples showing users how to structure their own configuration, not actual secrets. The skill does not exfiltrate or misuse these values.

SKILL.md:4

Broad Tool Permissions Declared

The skill declares allowed-tools: Read Write Edit Bash, providing broad file system and command execution capabilities. This is necessary for configuration management but means the skill could modify any file if given malicious instructions.

Low Risk Issues (2)

SKILL.md:169-189

Environment Variable Access in Documentation

Code examples show process.env usage patterns. These are educational examples teaching users how to access environment variables in TypeScript applications, not actual runtime environment access by the skill.

SKILL.md:29-61

Hardcoded URLs in Documentation Examples

Documentation contains example URLs (localhost:3000, sentry.io, myapp.com). These are placeholder examples showing URL formats, not actual network endpoints.

Risk Factors

🔑 Env variables (5)

SKILL.md:32 SKILL.md:55-56 SKILL.md:107 SKILL.md:127 SKILL.md:173

⚙️ External commands (1)

SKILL.md:25-67

Detected Patterns

Heuristic: Documentation Pattern Confusion

Audited by: claude

Quality Score

Architecture

100

Maintainability

Content

Community

Security

Spec Compliance

What You Can Build

Initialize environment configuration for a new project

Set up a complete environment configuration structure including .env.example, TypeScript validation, and per-environment configs to ensure consistent setup across your team.

Migrate legacy configuration to type-safe environment handling

Replace ad-hoc process.env access with validated Zod schemas and centralized configuration management for improved reliability and type safety.

Prepare production deployment configuration

Create production-specific environment templates with variable interpolation for secrets injection from CI/CD pipelines or secret managers.

Try These Prompts

Create .env template for my Node.js project

I need a .env.example template for a Node.js application that uses PostgreSQL, Redis, and sends email via SMTP. Include common variables for authentication, database pooling, and feature flags.

Add environment validation to existing config

Add Zod validation to our existing config/index.ts to ensure all required environment variables are present and properly formatted at startup. Include error handling with clear messages.

Set up multi-environment Docker configuration

Create a docker-compose.yml with separate environment configurations for development and production. Use env_file for local development and environment variables for production. Include PostgreSQL and Redis services.

Implement secrets rotation preparation

Set up environment configuration that supports AWS Secrets Manager for credential injection in production while using local .env files in development. Include validation for both scenarios.

Best Practices

Always use .env.example as a committed template showing required variables without actual secrets
Implement runtime validation with Zod at application startup to catch missing configuration early
Use environment-specific config files to keep environment-specific logic organized and maintainable

Avoid

Do not commit actual .env files with real credentials to version control
Avoid accessing environment variables directly throughout code; use a centralized config module
Do not use weak default values for secrets; require explicit configuration in production

Frequently Asked Questions

How do I keep my secrets safe when using this skill?

Never commit .env files with real credentials. Use .env.example as a template showing required variables, then copy it to .env.local for local development. In production, inject secrets from environment variables, AWS Secrets Manager, or HashiCorp Vault.

Can this skill connect to my database to validate credentials?

No, this skill generates configuration templates and code examples. It cannot validate that your database credentials actually work. Test your configurations manually after generation.

What is the difference between .env and .env.local?

.env files are typically committed as templates (without secrets) to show team members what variables are needed. .env.local files contain local-only overrides with actual secrets and should be in .gitignore.

How do I handle different values for development vs production?

Use separate config files like config/environments/development.ts and config/environments/production.ts. Load the appropriate one based on NODE_ENV. In docker-compose, use environment: for production values and env_file: for local development.

Why should I use Zod for environment validation?

Zod validates environment variables at runtime with clear error messages. This catches misconfiguration early before it causes cryptic errors deep in your application logic. It also provides TypeScript type inference.

Can I use this skill with languages other than TypeScript?

The skill focuses on TypeScript examples but the core concepts apply to any language. The .env file templates, docker-compose configurations, and .gitignore rules work universally. You would adapt the validation patterns to your language of choice.

Developer Details

Author

supercent-io

License

MIT

Repository

https://github.com/supercent-io/skills-template/tree/main/.agent-skills/environment-setup/

Ref

main

File structure

📄 SKILL.md

📄 SKILL.toon