frappe-manager

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflows (SKILL.md and references/bench-commands.md and references/fm-commands.md) explicitly instruct fetching and installing apps from public repositories (e.g., "bench get-app https://github.com/...", "fm create --apps erpnext" and other examples that pull from GitHub/frappe.cloud), so the agent will ingest untrusted, user-generated code/content that can influence commands, tests, logs, and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly instructs runtime fetching and installation of remote GitHub code (e.g., bench get-app https://github.com/frappe/hrms.git), which pulls and installs external code inside the environment and thus can execute untrusted code at runtime.