doppler-secret-validation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill includes explicit commands and examples that require embedding raw API tokens/credentials (e.g., doppler secrets set SECRET="value", python token = 'TOKEN_VALUE', export SECRET=$(doppler secrets get ... --plain')), which would force an LLM to handle or emit secret values verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's test_api_auth.py (invoked in SKILL.md Step 4) performs HTTP requests to arbitrary API endpoints supplied via --api-url and interprets responses to decide authentication success, meaning untrusted third‑party content from those endpoints can influence the tool's decisions.