frappe-ops-upgrades

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required Pre-Upgrade Checklist explicitly instructs the agent/operator to "Read release notes — Check GitHub release notes for each version" (SKILL.md Pre-Upgrade Checklist item 8), which directs it to ingest public, user-produced GitHub content that can materially change upgrade decisions and actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill contains numerous system-level commands that change system and application state (backups/restores, git/pip/yarn installs, migrations, stopping/starting services) and even explicitly suggests using sudo (e.g., "sudo bench restart"), so it encourages actions that require elevated privileges and can modify the host machine.