The Agent Skills Directory

Data Exposure (HIGH): Hardcoded credentials for the MariaDB root user ('123') and the site administrator ('admin') are found in SKILL.md, references/backup-restore.md, references/database-operations.md, and references/site-management.md.
Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill provides commands to download and install software from untrusted GitHub repositories (e.g., https://github.com/kehwar/frappe_soldamundo.git) in references/app-management.md and references/app-development.md. These sources are not within the defined list of trusted organizations.
Dynamic Execution (MEDIUM): references/testing-debugging.md includes instructions for running arbitrary Python code using bench execute and interactive access through bench console, which can be used to execute unverified logic in the application context.
Privilege Escalation (MEDIUM): The skill documentation describes using system commands to terminate processes (pkill, fuser -k) and direct database root access in references/development-operations.md and references/database-operations.md.
Indirect Prompt Injection (LOW): The skill structure facilitates the processing of untrusted external content.
Ingestion points: External code is fetched from user-specified repositories via bench get-app in references/app-management.md.
Boundary markers: Absent. There are no instructions to isolate or verify the content of the downloaded repositories.
Capability inventory: Full access to the database (mariadb), process management (pkill), and arbitrary Python execution (bench execute).
Sanitization: Absent. The skill does not describe any validation steps for the downloaded code before installation.

bench-commands