Skip to content
NeuralSkills
Deployment

Environment Variable Audit

Find missing, unused, or exposed environment variables in your codebase before they cause production issues.

Beginner Free Published: April 15, 2026
Compatible Tools claude-codechatgptgeminicopilotcursorwindsurfuniversal

The Problem

Environment variable issues are the silent killers of deployments. A missing variable crashes your app at runtime, an unused one clutters your config, and an exposed one in a committed .env file is a security incident. Most developers only discover these problems after deploying — when it’s already too late.

The Prompt

Audit the environment variables in my project. I'll provide my configuration files and code references. Identify every issue.

.ENV.EXAMPLE (or .env.local):
[paste your .env.example or .env template here]

CODE THAT REFERENCES ENV VARS:
[paste relevant code files — or describe: "Next.js app with Prisma and Stripe"]

DEPLOYMENT PLATFORM: [e.g., Vercel, AWS, Docker, Netlify]

Check for these issues:

1. **Missing Variables** — Referenced in code but not in .env.example
2. **Unused Variables** — Defined in .env but never referenced in code
3. **Exposed Secrets** — Sensitive values that might be committed or leaked client-side
4. **Client-Side Leaks** — Server-only secrets accessible in the browser (e.g., missing NEXT_PUBLIC_ prefix handling)
5. **Default Value Risks** — Fallback values that would cause silent failures in production
6. **Naming Inconsistencies** — Mixed conventions (camelCase vs SCREAMING_SNAKE)
7. **Missing Validation** — No startup check to verify required vars are set

For each issue, provide severity (critical/warning/info) and the fix.

Example Output

## Audit Results: 4 issues found

### CRITICAL: Secret exposed client-side
`STRIPE_SECRET_KEY` is used in `src/lib/stripe.ts` which is imported by a client component.
Fix: Move Stripe initialization to a server-only module (e.g., `src/lib/stripe.server.ts`).

### CRITICAL: Missing in production
`REDIS_URL` is referenced in `src/lib/cache.ts` but not listed in .env.example.
Fix: Add `REDIS_URL=` to .env.example and set it in your deployment platform.

### WARNING: Unused variable
`OLD_API_KEY` is defined in .env but not referenced anywhere in the codebase.
Fix: Remove it from .env.example and all deployment configs.

### INFO: No startup validation
Fix: Add a validation check at app startup using zod or a simple assertion function.

When to Use

Run this audit before every deployment to a new environment, after onboarding new team members who might misconfigure variables, or as a periodic security check. Particularly valuable when migrating between hosting platforms where env var naming conventions differ.

Pro Tips

  • Include your deployment config — paste your vercel.json, docker-compose.yml, or CI config so the AI can cross-reference which variables are actually set in each environment.
  • Ask for a validation snippet — follow up with “Generate a TypeScript env validation module using zod that checks all required variables at startup.”
  • Automate it — ask AI to generate a script that compares .env.example keys against process.env references in your codebase.