frappe-printing-templates

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data from Frappe DocTypes to render Jinja templates.
  • Ingestion points: Data fields from Frappe DocTypes (e.g., doc.customer, doc.items) in SKILL.md and references/jinja.md.
  • Boundary markers: Absent in the examples provided.
  • Capability inventory: Includes sensitive operations like frappe.sendmail, frappe.attach_print, and frappe.get_all across SKILL.md and references/jinja.md.
  • Sanitization: The skill recommends using {{ value | e }} for escaping user content and warns against using the | safe filter on untrusted data in the Guardrails and Common Mistakes sections of SKILL.md.
  • [DATA_EXPOSURE_AND_EXFILTRATION]: The skill demonstrates the use of frappe.get_all for data fetching. The documentation in references/jinja.md explicitly notes that this method "ignores permissions," which could lead to unauthorized data exposure if templates are used by users with restricted access.
  • [DYNAMIC_EXECUTION]: In references/jinja.md, the skill documents frappe.render_template which allows rendering a template from a string. If the template string incorporates untrusted input, it could lead to Server-Side Template Injection (SSTI), potentially allowing unauthorized execution of logic within the Jinja environment.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 08:06 AM
Security Audit — agent-trust-hub — frappe-printing-templates