doppler-secretops-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill relies on a remote MCP server hosted at 'https://rube.app/mcp', which is not a verified trusted source. This server controls the tool definitions and execution logic.\n- [DATA_EXFILTRATION] (HIGH): Since the skill's purpose is 'Doppler Secretops', it manages highly sensitive API keys and environment secrets. Routing these operations through an unverified third-party MCP proxy creates a significant risk of credential exposure or exfiltration to the 'rube.app' infrastructure.\n- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection through its tool discovery mechanism.\n
- Ingestion points: The agent is instructed to call 'RUBE_SEARCH_TOOLS' to fetch schemas and 'recommended execution plans' from the remote server (SKILL.md).\n
- Boundary markers: Absent. There are no instructions to ignore or sanitize embedded instructions within the fetched schemas.\n
- Capability inventory: The agent has access to 'RUBE_MULTI_EXECUTE_TOOL' and 'RUBE_REMOTE_WORKBENCH', allowing for broad execution and system modification based on the untrusted input.\n
- Sanitization: None. The skill mandates using the 'exact field names' and 'execution plans' returned by the remote query.\n- [REMOTE_CODE_EXECUTION] (MEDIUM): The 'RUBE_REMOTE_WORKBENCH' and dynamic execution of tool slugs defined by a remote source at runtime allow for remote logic execution on the agent's environment.
Recommendations
- AI detected serious security threats
Audit Metadata