diff --git a/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py b/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py
index 2e571c8f7..5b1b8182f 100644
--- a/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py
+++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py
@@ -85,7 +85,9 @@ class SecretStore(StoreBase):
         self, key_dir: Path, generator: Generator, secret_name: str
     ) -> bool:
         secret_path = self.secret_path(generator, secret_name)
-        return sops.SopsKey.load_dir(key_dir) in sops.get_recipients(secret_path)
+        recipient = sops.SopsKey.load_dir(key_dir)
+        recipients = sops.get_recipients(secret_path)
+        return recipient in recipients
 
     def secret_path(self, generator: Generator, secret_name: str) -> Path:
         return self.directory(generator, secret_name)
@@ -221,9 +223,10 @@ class SecretStore(StoreBase):
         recipients_to_add = wanted_recipients - current_recipients
         var_id = f"{generator.name}/{name}"
         msg = (
-            f"One or more recipient keys were added to secret{' shared' if generator.share else ''} var '{var_id}', but it was never re-encrypted. "
-            f"This could have been a malicious actor trying to add their keys, please investigate. "
-            f"Added keys: {', '.join(f"{r.key_type.name}:{r.pubkey}" for r in recipients_to_add)}"
+            f"One or more recipient keys were added to secret{' shared' if generator.share else ''} var '{var_id}', but it was never re-encrypted.\n"
+            f"This could have been a malicious actor trying to add their keys, please investigate.\n"
+            f"Added keys: {', '.join(f"{r.key_type.name}:{r.pubkey}" for r in recipients_to_add)}\n"
+            f"If this is intended, run 'clan vars fix' to re-encrypt the secret."
         )
         return needs_update, msg
 
@@ -246,6 +249,8 @@ class SecretStore(StoreBase):
                         file_found = True
                     else:
                         continue
+                if not file.secret:
+                    continue
 
                 secret_path = self.secret_path(generator, file.name)
                 update_keys(
diff --git a/pkgs/clan-cli/tests/test_vars.py b/pkgs/clan-cli/tests/test_vars.py
index 24ef8b4e4..25cde260a 100644
--- a/pkgs/clan-cli/tests/test_vars.py
+++ b/pkgs/clan-cli/tests/test_vars.py
@@ -177,7 +177,10 @@ def test_generate_secret_var_sops_with_default_group(
     config["clan"]["core"]["sops"]["defaultGroups"] = ["my_group"]
     my_generator = config["clan"]["core"]["vars"]["generators"]["my_generator"]
     my_generator["files"]["my_secret"]["secret"] = True
-    my_generator["script"] = "echo hello > $out/my_secret"
+    my_generator["files"]["my_public"]["secret"] = False
+    my_generator["script"] = (
+        "echo hello > $out/my_secret && echo hello > $out/my_public"
+    )
     flake.refresh()
     monkeypatch.chdir(flake.path)
     sops_setup.init()