doppler-workflows
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
Bashtool to execute administrative commands, includingdoppler run --commandpatterns which evaluate shell strings containing injected environment variables. - [COMMAND_EXECUTION]: The
AWS_WORKFLOW.mdfile includes instructions for destructive operations, specificallyaws iam delete-access-key, which can lead to service disruption if executed improperly. - [DATA_EXFILTRATION]: The
SKILL.mdfile contains patterns for reading sensitive files from the local filesystem, specifically~/.claude/.secrets/gh-token-accountname, which constitutes data exposure of credentials. - [DYNAMIC_EXECUTION]: Employs
mise [env]configuration that usescache(run='...')to dynamically execute shell commands (e.g.,doppler secrets get) to populate environment variables at runtime. - [EXTERNAL_DOWNLOADS]: References the installation of the Doppler CLI via Homebrew (
brew install dopplerhq/cli/doppler). This targets a well-known service and is documented neutrally. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it ingests untrusted data from Doppler secrets and the filesystem without explicit sanitization before interpolating them into shell commands.
- Ingestion points: Doppler secrets values/notes,
.mise.toml, and files in~/.claude/.secrets/. - Boundary markers: Absent; commands are executed directly in the shell context.
- Capability inventory: High-privilege actions including
aws iam delete-access-key,doppler secrets set, and arbitraryBashexecution. - Sanitization: No evidence of validation or escaping for external content before execution.
Audit Metadata