The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/run_console.py enables the execution of Python and SQL snippets via the Frappe execute_code method. This script grants elevated internal privileges by programmatically setting the user to Administrator and allows the agent to trigger code execution on the host system where the Frappe bench is installed.
[DATA_EXFILTRATION]: As documented in REFERENCE.md, the sandboxed environment supports network operations through functions like frappe.make_get_request and frappe.make_post_request. These capabilities could be leveraged to exfiltrate data from the Frappe database to external endpoints.
[PROMPT_INJECTION]: The APP-EXTENSIONS.md file instructs the agent to scan and interpret workspace files (hooks.py and related Python modules) to discover custom API extensions. This process exposes the agent to untrusted data within the local repository.
Ingestion points: Scanning hooks.py files and following imports across the apps/ directory in the local workspace.
Boundary markers: None; the instructions do not specify delimiters or provide warnings to ignore embedded instructions within the analyzed workspace code.
Capability inventory: The agent is provided with powerful capabilities including database modification (frappe.db.set_value), network requests (frappe.make_post_request), and background job queuing (frappe.enqueue).
Sanitization: No validation or sanitization of the workspace content is implemented before the agent processes the code to determine the available namespace extensions.

frappe-system-console