doppler-secret-validation

This skill's stated purpose (validating and testing Doppler-stored secrets) matches the documented capabilities: it shows how to add secrets to Doppler, validate retrieval, inject into environment for a single command, and run API authentication tests. The primary risks are operational/secret-management: explicit use of --plain exports and manual exports, caching via mise, and running local test scripts that will receive plaintext secrets. These patterns can lead to accidental secret leakage (CI logs, shell history, caches) or, if the bundled scripts or invoked API endpoints are malicious or compromised, deliberate exfiltration. The instructions also include shell heredocs that interpolate environment variables; if those variables are attacker-controlled, there is a modest command-injection risk. Overall this is not obviously malicious code, but it is moderately risky in practice because it directs operators to move plaintext secrets between services and into executable scripts. Operators should review the actual contents of validate_secret.py and test_api_auth.py, avoid using --plain in interactive contexts, avoid caching secrets to disk unless encrypted, and validate API endpoints before running tests.