The Agent Skills Directory

Dynamic Execution (MEDIUM): In references/sla-implementation.md, the check_sla_condition function uses frappe.safe_eval(sla.condition). This pattern executes Python code stored in a database field. While safe_eval is restricted by the framework, it introduces a significant risk of arbitrary logic execution if an attacker gains the permissions required to modify configuration records.
SQL Injection Surface (LOW): Multiple files, including references/advanced-permissions.md, demonstrate building SQL queries via f-string interpolation (e.g., f"owner = '{user}'"). This practice bypasses parameterized query protections and is a common source of SQL injection vulnerabilities if the interpolated variables are influenced by external input.
Indirect Prompt Injection (LOW): The skill describes patterns for automated data ingestion from external sources like email and external CRM systems. 1. Ingestion points: SKILL.md (sync_emails), references/enterprise-patterns.md (Integration patterns). 2. Boundary markers: Absent in provided snippets. 3. Capability inventory: frappe.enqueue, frappe.db.sql, frappe.sendmail. 4. Sanitization: None demonstrated in the ingestion templates.

frappe-enterprise-patterns