foxmayn-frappe-cli
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from external Frappe/ERPNext document fields.
- Ingestion points: Untrusted data enters the agent's context through the output of commands like
ffc list-docs,ffc get-doc, andffc run-reportas described inSKILL.md. - Boundary markers: The skill partially mitigates this by mandating the use of the
--jsonflag for all data retrieval operations, which provides a structured format that helps the agent distinguish data from instructions. - Capability inventory: The skill allows for various operations via the
ffctool, including reading, creating, updating, and deleting documents, as well as calling server-side RPC methods. - Sanitization: There is no evidence of content sanitization or filtering applied to the document fields before they are presented to the agent.
- [DATA_EXFILTRATION]: The skill interacts with user-defined Frappe sites. While it handles API keys and secrets, it uses placeholders in examples and describes standard local configuration management (
~/.config/ffc/config.yaml) without any evidence of exfiltrating these credentials to unauthorized third parties. - [COMMAND_EXECUTION]: The skill documentation details the use of the
ffccommand-line utility. The commands provided are strictly for site interaction and management, conforming to the primary purpose of the skill.
Audit Metadata