frappe-api-development
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFE
Full Analysis
- Data Exposure & Exfiltration (SAFE): No hardcoded secrets or data exfiltration patterns were detected. Code snippets for authentication use clearly marked dummy placeholders.
- Dynamic Execution (SAFE): The skill documents the 'Server Script' feature of Frappe. It correctly notes that this is disabled by default for security reasons and explains the use of RestrictedPython to sandbox execution.
- Indirect Prompt Injection (SAFE): While the skill describes how to build API endpoints that process external data, it proactively includes guardrails for input validation and sanitization (e.g., using
frappe.db.escape) to mitigate potential injection risks. - Privilege Escalation (SAFE): Administrative functions like
ignore_permissions=Trueare documented within the context of specific system-level tasks (e.g., creating an API user), accompanied by clear instructions on proper usage.
Audit Metadata