dokploy
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The
scripts/dokploy-config.shfile is vulnerable to shell injection. It uses an unquoted heredoc (<< EOF) to save theDOKPLOY_API_KEYandDOKPLOY_API_URLto a local configuration file (~/.dokployrc). This allows the shell to expand variables and execute command substitutions (e.g.,$(whoami)) contained within the input strings at the time of file creation or when the user follows the instruction tosourcethe file. - [DATA_EXFILTRATION] (SAFE): The skill manages sensitive API keys by storing them in a local file in the user's home directory. This is standard behavior for CLI tools. Credentials are only transmitted to the API endpoint explicitly configured by the user.
- [EXTERNAL_DOWNLOADS] (SAFE): The skill requires standard system utilities (
curl,jq) and uses locally provided scripts. It does not download or execute code from untrusted remote sources.
Audit Metadata