frappe-manager
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs users to install the 'frappe-manager' package via pipx and suggests a development version directly from the 'rtcamp' GitHub repository, which is not included in the trusted organizations list.
- [REMOTE_CODE_EXECUTION] (MEDIUM): The instruction to run 'pipx install git+https://github.com/rtcamp/frappe-manager@develop' downloads and executes code from a remote repository on the host system. While this is the primary purpose of the skill, it remains a medium-risk operation due to the source's untrusted status in this context.
- [COMMAND_EXECUTION] (MEDIUM): The command 'fm --install-completion' modifies shell configuration files (e.g., .bashrc or .zshrc) to enable auto-completion. This is a persistence mechanism that modifies the host environment.
- [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection through its ingestion of site names and app lists. 1. Ingestion points: 'BENCHNAME' and '--apps' parameters in 'fm create'. 2. Boundary markers: None. 3. Capability inventory: Execution of subprocesses via FM and Bench CLI tools. 4. Sanitization: No sanitization is mentioned for these parameters before they are used in shell commands.
- [CREDENTIALS_UNSAFE] (LOW): The documentation explicitly mentions default credentials such as 'admin/admin' and 'root' for database access, which could be a security risk if misused outside of local development environments.
Audit Metadata