Just create a .env/vars.env file which is not kept in source code, define some Bash variables here with sensitive data and then run sparrowdo cli referencing those variables in this file in a safe way:

—tags password=.env[PASSWORD],token=.env[TOKEN]

• variables are not exposed in bash history
• not seen via ps aux
• variables file gets transferred to remote host over scp
• file with variables not kept on remote host ( immediately removed after exporting to Sparrowdo scenario )
• host specific vs default env variables allowed

Safe and simple