doppler-secret-validation
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill relies heavily on executing system commands via the Doppler CLI and Python subprocesses.
scripts/validate_secret.pyandscripts/test_api_auth.pyusesubprocess.runto calldoppler secrets get, passing secret names and project configurations as arguments.- While arguments are passed as a list, which mitigates standard shell injection, the skill's logic introduces other execution risks.
- [PROMPT_INJECTION]: A code injection vulnerability exists in the
scripts/validate_secret.pyscript. - The
test_env_injectionfunction constructs a Python command string using f-string interpolation:python3 -c f'import os; v = os.getenv("{secret_name}"); print("OK" if v else "MISSING")'. - If an attacker provides a malicious
secret_name(e.g.,VAR"); [payload] #), they can execute arbitrary Python code within the context of the agent's environment. - [DATA_EXFILTRATION]: The skill provides a mechanism that can be easily repurposed for data exfiltration.
scripts/test_api_auth.pytakes an--api-urland a--secretname, then sends the retrieved secret as a Bearer token to that URL viaurllib.request.urlopen.- There is no validation or whitelisting of the
api-url. A malicious prompt could trick the agent into sending sensitive credentials to an attacker-controlled endpoint. - [CREDENTIALS_UNSAFE]: The skill is designed to handle high-entropy secrets (AWS keys, GitHub tokens, PyPI tokens) in plaintext.
SKILL.mdsuggests a workflow (Step 1) that involves embedding secrets directly into command-line strings:python3 -c "token = 'TOKEN_VALUE'; ...". This can leak secrets to shell history or process monitors and is susceptible to injection if the token contains quotes.scripts/validate_secret.pyincludes a--show-valueflag that, if triggered, prints the full plaintext secret to standard output.
Audit Metadata