frappe-ops-deployment

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required deployment workflows explicitly fetch and execute public third-party content (e.g., "git clone https://github.com/frappe/frappe_docker.git" in the SKILL.md/workflows and examples, curl https://deb.nodesource.com/setup_18.x, and docker builds that pull GitHub app URLs), meaning untrusted external repositories and scripts are ingested and can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill contains a runtime command that fetches and executes remote code—curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -—which downloads and runs a shell script from deb.nodesource.com during setup.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly directs privileged, state-changing operations (sudo bench commands, editing /etc/nginx and /etc/ssh files, modifying sudoers, creating symlinks in system dirs, reloading systemd/supervisor, copying private keys, enabling firewall, etc.), which modify system configuration and require elevated access and therefore can compromise the machine state.