doppler
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (CRITICAL): The installation metadata includes the command
curl -sLf https://cli.doppler.com/install.sh | sh. Piped shell execution of remote scripts is a critical vulnerability because the content of the script is executed without verification. - External Downloads (HIGH): The skill downloads code from
cli.doppler.com. While this is the official Doppler domain, it is not included in the 'Trusted External Sources' list, meaning the download and execution of this script is treated as high-risk. - Data Exposure & Exfiltration (MEDIUM): The skill handles high-value credentials, including
DOPPLER_TOKENand various API keys likeGEMINI_API_KEY. Managing these within the agent's context creates a significant risk surface for credential exposure or accidental logging. - Command Execution (LOW): The skill documentation describes using
doppler run -- some-command, which involves the execution of arbitrary shell commands with injected secrets, introducing a potential path for command injection if inputs are not sanitized.
Recommendations
- HIGH: Downloads and executes remote code from: https://cli.doppler.com/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata