frappe-ops-bench

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that pass passwords and encryption/encryption-key values directly on the command line (e.g., --admin-password, --mariadb-root-password, --backup-encryption-key), which encourages embedding secret values verbatim in generated commands and thus creates exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflows explicitly instruct fetching and installing public apps (e.g., "Workflow 3: App Management" and the line "bench get-app https://github.com/org/custom-app.git") and the custom-commands doc shows bench auto-discovers and runs code from those repos, meaning untrusted third-party content from GitHub/URLs is ingested and can change CLI behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs runtime use of bench get-app to download and install remote Git repositories (e.g., https://github.com/org/custom-app.git), which will fetch and install remote code that can be executed by the bench environment, so this URL represents a runtime external dependency that can execute code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt includes explicit sudo commands (e.g., "sudo bench setup production", "sudo service nginx reload") and instructions that modify system services/nginx and perform production setup (which can create system users and change system files), so it directs actions that change the machine state and require elevated privileges.