Hikkywannafly/env-manager
skills/env-manager/SKILL.md
Generate and validate .env.local and .env.example files for vibe-kit projects. Ensures all required secrets are present before build or deploy. Never logs secret values. Activated at project init and before vibe-deploy.
development
Updated Apr 25, 2026
$ install --global
skillsauthnpx skillsauth add Hikkywannafly/vibe-kit env-managerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 5:08 PM137.3s1 file scanned
SKILL.md
- name:
- env-manager
- description:
- >
- argument-hint:
- [generate | validate | 'them bien moi']
env-manager — Environment Variable Management
Purpose
Generate .env.local templates, validate required keys exist, and produce
.env.example with placeholder values safe to commit. Runs before every deploy.
Required Variables for vibe-kit
# Supabase
NEXT_PUBLIC_SUPABASE_URL=https://xxxx.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJhbGci...
# Polar (payment)
POLAR_ACCESS_TOKEN=polar_at_...
POLAR_WEBHOOK_SECRET=whsec_...
# App
NEXT_PUBLIC_APP_URL=https://tenwebsite.vn
.env.example (safe to commit)
# Supabase — lay tu supabase.com/dashboard > Settings > API
NEXT_PUBLIC_SUPABASE_URL=
NEXT_PUBLIC_SUPABASE_ANON_KEY=
# Polar — lay tu polar.sh/dashboard > Settings > API Keys
POLAR_ACCESS_TOKEN=
POLAR_WEBHOOK_SECRET=
# URL cua website (khong co dau / cuoi)
NEXT_PUBLIC_APP_URL=
Validation Script
// scripts/validate-env.ts
const required = [
"NEXT_PUBLIC_SUPABASE_URL",
"NEXT_PUBLIC_SUPABASE_ANON_KEY",
"NEXT_PUBLIC_APP_URL",
]
const missing = required.filter(key => !process.env[key])
if (missing.length > 0) {
console.error("Thieu bien moi truong:", missing.join(", "))
console.error("Kiem tra file .env.local va dien day du truoc khi chay.")
process.exit(1)
}
console.log("Tat ca bien moi truong hop le.")
Add to package.json:
{
"scripts": {
"predev": "npx ts-node scripts/validate-env.ts",
"prebuild": "npx ts-node scripts/validate-env.ts"
}
}
Security Rules
.env.localis in.gitignore— never commit it.env.examplehas empty values only — safe to commit- Never
console.logany env value in server code NEXT_PUBLIC_prefix = exposed to browser — only use for non-secret config- Supabase anon key is safe for
NEXT_PUBLIC_(designed for client use) POLAR_ACCESS_TOKENandPOLAR_WEBHOOK_SECRETmust NOT haveNEXT_PUBLIC_prefix
Vercel Environment Variables
After deploy, set via Vercel dashboard: Project → Settings → Environment Variables → Add each key for Production.
Or via CLI:
vercel env add POLAR_ACCESS_TOKEN production
Related Skills
Hikkywannafly/vietnamese-copy
data-ai
VerifiedTrustedCommunity
Generate Vietnamese marketing copy, UI strings, CTAs, error messages, and email templates for vibe-kit projects. Tone: friendly, conversational, Southern Vietnamese style. Activated for any user-visible text generation.
SKILL.mdUpdated Apr 25, 2026
Hikkywannafly/vibe
development
VerifiedTrustedCommunity
One-shot orchestrator. Turns the prose after /vibe into a shipped product by clarifying intent, rendering a plan, gating on approval, then spawning planner+researcher+fullstack-dev+tester+reviewer agents in sequence. User-visible strings match the user's input language (Vietnamese by default for VN users). Two modes: SAFE (default — clarify + show plan + wait for approval, max 1 round-trip) and YOLO (skip clarify+approval, run full auto with smart defaults — for demos and power users). YOLO triggers: prose contains `yolo`, `nhanh nha`, `lam luon`, `khoi hoi`, `auto`, or args start with `yolo`. Trigger phrases (EN + VN): "build me a site", "make me a landing page", "create a shop", "I need an app", "vibe lam website", "tao cho toi mot", "xay dung shop online", "lam landing page", "can mot app".
SKILL.mdUpdated Apr 25, 2026
Hikkywannafly/vibe-security
tools
VerifiedTrustedCommunity
On-demand security audit for vibe-kit projects. Stack-aware checks for Next.js App Router + Supabase + Polar: secrets leak, RLS gaps, service-role key in client bundle, missing webhook signature verification, unprotected API routes, weak headers, dependency vulns. Outputs a Vietnamese P0/P1/P2 report with file:line + fix hints. User-visible strings match the user's input language (Vietnamese by default for VN users). Trigger phrases (EN + VN): "check security", "audit it", "security scan", "is this safe to launch", "kiem tra bao mat", "quet bao mat", "audit du an", "co an toan khong", "scan bao mat truoc khi deploy".
SKILL.mdUpdated Apr 25, 2026
Hikkywannafly/vibe-rn-supabase
tools
VerifiedTrustedCommunity
Wire Supabase JS client into a React Native (Expo) vibe-kit project: session persistence via AsyncStorage, magic-link OAuth callback via expo-linking deep links, Realtime subscriptions on RN, and shared TypeScript types with the Next.js webapp twin (vibe-kit's typical web<->mobile pair pattern). This is the mobile counterpart of `auth-magic-link` (web). User-visible strings match the user's input language (Vietnamese by default for VN users). Trigger phrases (EN + VN): "supabase react native", "supabase mobile", "auth mobile expo", "magic link mobile", "tich hop supabase vao app", "supabase deep link".
SKILL.mdUpdated Apr 25, 2026