Skip to content
CommandIt CommandIt CommandIt Help

Security

CommandIt runs snippets that can read environment variables, execute shell commands, and access your clipboard. This page explains the safety controls that protect your data.

Environment Variable Approvals

Section titled “Environment Variable Approvals”

Snippets can include {{env:NAME}} to read environment variables at paste time. Because environment variables may contain secrets (API keys, tokens, passwords), CommandIt requires your approval before reading each variable for the first time.

The Approval Dialog

Section titled “The Approval Dialog”

When you paste a snippet that reads an unapproved environment variable, a dialog appears:

  • Variable name — which variable the snippet wants to read (e.g., USER, GITHUB_TOKEN)
  • Current value — a preview of the variable’s current value (truncated to 50 characters)
  • Sensitive warning — variables matching known sensitive patterns (see below) show a warning-style dialog

Your Options

Section titled “Your Options”
ChoiceEffectRemembered?
AllowVariable resolves to its current valueYes
DenyVariable resolves to empty stringYes
Not NowVariable resolves to empty stringNo (asks again next time)

Sensitive Variable Detection

Section titled “Sensitive Variable Detection”

CommandIt flags variables matching these patterns as potentially sensitive:

  • API_KEY, APIKEY, SECRET, TOKEN, PASSWORD, PASSWD
  • CREDENTIAL, PRIVATE_KEY, AUTH
  • AWS_*, STRIPE_*, GITHUB_TOKEN, NPM_TOKEN
  • DATABASE_URL, CONNECTION_STRING, ENCRYPTION

Sensitive variables show a critical-style (red) alert with a warning icon.

Managing Decisions

Section titled “Managing Decisions”

Open Settings > Security to see all your approval decisions:

  • Each variable shows its name, your decision (Allow/Deny), and a badge
  • Delete a single decision to be prompted again next time
  • Clear All removes every decision — you’ll be prompted fresh for each variable

Shell Command Safety

Section titled “Shell Command Safety”

Snippets with {{shell:COMMAND}} execute real shell commands at paste time. Shell command variables require CommandIt Plus.

Import Safety

Section titled “Import Safety”

When you import snippets (from a file or a snippet pack), CommandIt scans for {{env:...}} and {{shell:...}} variables and shows a confirmation dialog listing every referenced variable and command. This prevents imported snippets from silently accessing your environment or running commands.

Tips

Section titled “Tips”
  • Review Settings > Security periodically to audit which variables you’ve approved
  • Use Deny for variables you never want snippets to access
  • Use Not Now when you’re unsure — you can decide later
  • If a snippet pastes an empty value where you expected content, check if the variable was denied in Settings > Security