With Electrum, you can have two wallets, one with the private keys on an airgapped machine, and one with watch-only addresses on a connected one that does not contain any private key.
You can create a raw transaction which you can transfer to your secure machine, sign it there, copy the signed transaction back and broadcast it. That way, the private key was never exposed to the potentially insecure machine.
You can do the same with the CLAM client. Create the raw transaction on an online machine and sign it on an airgapped offline machine:
$ clamd help createrawtransaction | head -1
createrawtransaction [{"txid":txid,"vout":n},...] {address:amount,...} [tx-comment]
$ clamd help signrawtransaction | head -1
signrawtransaction [{"txid":txid,"vout":n,"scriptPubKey":hex,"redeemScript":hex},...] [,...] [sighashtype="ALL"]