frappe-customizations-baker
Warn
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the execution of a bundled utility script (
scripts/fetch_customizations.py) and standard Frappe CLI commands (bench migrate) to automate the customization baking process. - [REMOTE_CODE_EXECUTION]: The skill automates the creation of executable Python patch files within the
apps/<app>/<app>/patches/directory. These generated scripts are registered for execution during the system's migration phase. The instructions for generating these files involve direct interpolation of database-retrieved strings into Python code templates without specifying validation or sanitization steps. - [DATA_EXFILTRATION]: The included
fetch_customizations.pyscript performs authenticated access to the local Frappe database to retrieve metadata aboutCustom FieldandProperty Setterrecords. This data, which describes the structure and behavior of the application, is printed to stdout and becomes part of the agent's context. - [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface where untrusted data from the database can influence the generation of executable patches.
- Ingestion points: Data retrieved from the database by
fetch_customizations.py(specifically field names and DocType names). - Boundary markers: No delimiters or instructions to ignore embedded commands are specified for the patch generation task.
- Capability inventory: The agent is instructed to write Python files to the repository and register them for execution during
bench migrate. - Sanitization: The skill lacks instructions for sanitizing or escaping database values before they are used to build Python list and tuple literals in the patch files.
Audit Metadata