The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides instructions for the agent to execute shell commands using the bench CLI tool. Specifically, it uses bench execute and bench console to perform administrative and debugging tasks on the local development site.
[REMOTE_CODE_EXECUTION]: The skill facilitates the execution of arbitrary Python code through multi-step scripts passed to bench console via heredocs and direct python3 execution. This allows for unrestricted logic execution within the application context.
[DATA_EXFILTRATION]: The skill provides access to sensitive data storage locations, including reading .json.gz files from private/files/ and executing raw SQL queries or frappe.get_doc calls to retrieve document field values and metadata from the database.
[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface. It is designed to ingest data from external sources such as database records and files on disk. If these sources contain malicious instructions, the agent may follow them because the skill lacks boundary markers or sanitization, and it possesses the high-privilege capabilities required to execute subsequent commands.
Ingestion points: SKILL.md (Sections 1, 2, 5, and 6) where data is read via frappe.get_doc, frappe.get_all, raw SQL, or gzip.open.
Boundary markers: Absent. The skill does not instruct the agent to treat document content as untrusted or separate from instructions.
Capability inventory: SKILL.md (Sections 1, 3, and 4) provides extensive execution capabilities via bench execute, bench console, and python3 script injection.
Sanitization: Absent. There are no instructions to escape or validate data retrieved from the database or files before processing it.

frappe-dev-debugger