frappe-dev
Warn
Audited by Gen Agent Trust Hub on Jun 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies extensively on the
benchCLI for all operations. Instructions inreferences/bench-operations.mdandreferences/site-management.mdguide the agent to perform administrative tasks, including site creation, migration, and destructive actions likebench drop-site. - [CREDENTIALS_UNSAFE]: The agent is instructed to manage sensitive database and administrative credentials. Evidence in
references/site-management.mdshows the agent being told to store the database root password in the global configuration usingbench set-config -g root_password '<pwd>'and to pass it via CLI flags. - [REMOTE_CODE_EXECUTION]: The skill utilizes the
bench executeandbench consolecommands, which allow the agent to run arbitrary Python code or interactive sessions with full site context. This capability can be exploited to execute malicious logic on the host system. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection (Category 8).
- Ingestion points: The agent is instructed to read and analyze existing application code in
references/existing-app.mdto understand patterns. - Boundary markers: There are no instructions to use delimiters or ignore embedded instructions when reading existing project files.
- Capability inventory: The agent has extensive capabilities including file system modification, shell command execution via
bench, and arbitrary Python execution viabench execute. - Sanitization: No sanitization or validation of the untrusted code content is required before the agent processes it.
Audit Metadata