frappe-printing-templates
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data from Frappe DocTypes to render Jinja templates.
- Ingestion points: Data fields from Frappe DocTypes (e.g.,
doc.customer,doc.items) inSKILL.mdandreferences/jinja.md. - Boundary markers: Absent in the examples provided.
- Capability inventory: Includes sensitive operations like
frappe.sendmail,frappe.attach_print, andfrappe.get_allacrossSKILL.mdandreferences/jinja.md. - Sanitization: The skill recommends using
{{ value | e }}for escaping user content and warns against using the| safefilter on untrusted data in the Guardrails and Common Mistakes sections ofSKILL.md. - [DATA_EXPOSURE_AND_EXFILTRATION]: The skill demonstrates the use of
frappe.get_allfor data fetching. The documentation inreferences/jinja.mdexplicitly notes that this method "ignores permissions," which could lead to unauthorized data exposure if templates are used by users with restricted access. - [DYNAMIC_EXECUTION]: In
references/jinja.md, the skill documentsfrappe.render_templatewhich allows rendering a template from a string. If the template string incorporates untrusted input, it could lead to Server-Side Template Injection (SSTI), potentially allowing unauthorized execution of logic within the Jinja environment.
Audit Metadata