diff --git a/pkgs/additional/sane-scripts/default.nix b/pkgs/additional/sane-scripts/default.nix
index 1d0f83fe..6c3327c9 100644
--- a/pkgs/additional/sane-scripts/default.nix
+++ b/pkgs/additional/sane-scripts/default.nix
@@ -35,7 +35,6 @@ let
           inetutils
           iwd
           jq
-          oath-toolkit
           openssh
           openssl
           nix-shell-scripts.ip-check
@@ -77,7 +76,6 @@ let
           "cannot:${gocryptfs}/bin/gocryptfs"
           "cannot:${ifuse}/bin/ifuse"
           "cannot:${iwd}/bin/iwctl"
-          "cannot:${oath-toolkit}/bin/oathtool"
           "cannot:${openssh}/bin/ssh-keygen"
           "cannot:${rmlint}/bin/rmlint"
           "cannot:${rsync}/bin/rsync"
@@ -238,6 +236,21 @@ let
       pname = "sane-reclaim-boot-space";
       src = ./src;
     };
+    secrets-dump = static-nix-shell.mkBash {
+      pname = "sane-secrets-dump";
+      src = ./src;
+      pkgs = [ "gnugrep" "sops" "oath-toolkit" ];
+    };
+    secrets-unlock = static-nix-shell.mkBash {
+      pname = "sane-secrets-unlock";
+      src = ./src;
+      pkgs = [ "coreutils-full" "openssh" "ssh-to-age" ];
+    };
+    secrets-update-keys = static-nix-shell.mkBash {
+      pname = "sane-secrets-update-keys";
+      src = ./src;
+      pkgs = [ "coreutils-full" "findutils" "sops" ];
+    };
   };
 in
 symlinkJoin {
diff --git a/pkgs/additional/sane-scripts/src/sane-secrets-dump b/pkgs/additional/sane-scripts/src/sane-secrets-dump
index cb696e7b..d19f9021 100755
--- a/pkgs/additional/sane-scripts/src/sane-secrets-dump
+++ b/pkgs/additional/sane-scripts/src/sane-secrets-dump
@@ -1,4 +1,5 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p gnugrep -p oath-toolkit -p sops
 # use: `sane-dump-secret /path/to/accounts/website.yaml`
 # dumps relevant information about the account, include a OTP code if present
 secrets=$(sops -d --output-type dotenv $1)
diff --git a/pkgs/additional/sane-scripts/src/sane-secrets-unlock b/pkgs/additional/sane-scripts/src/sane-secrets-unlock
index a767a346..efdbfaf0 100755
--- a/pkgs/additional/sane-scripts/src/sane-secrets-unlock
+++ b/pkgs/additional/sane-scripts/src/sane-secrets-unlock
@@ -1,4 +1,5 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p coreutils-full -p openssh -p ssh-to-age
 # unlocks the SOPS store (i.e. populate a SOPS key from the user's SSH key)
 set -ex
 
diff --git a/pkgs/additional/sane-scripts/src/sane-secrets-update-keys b/pkgs/additional/sane-scripts/src/sane-secrets-update-keys
index 390438b9..7d0938b4 100755
--- a/pkgs/additional/sane-scripts/src/sane-secrets-update-keys
+++ b/pkgs/additional/sane-scripts/src/sane-secrets-update-keys
@@ -1,4 +1,5 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p coreutils-full -p findutils -p sops
 # after modifying .sops.yaml, run this to re-encode all secrets to the new keys
 # pass the base directory (under which *everything* is a secret) as argument
 for i in $(find "$1" -print)