frappe-impl-integrations

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed API keys, bearer tokens, and webhook secrets directly in headers and curl commands (e.g., Authorization: token api_key:api_secret, Authorization: Bearer access_token, Authorization: Bearer token123), which encourages the model to output secret values verbatim and thus creates exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs fetching and processing arbitrary external content—e.g., Connected App "OpenID Configuration URL" auto-fetch (Workflow 2), Webhook "Request URL" deliveries (Workflow 3), and direct external API calls in Workflow 4 / examples—which are untrusted public endpoints whose responses are parsed and used to create/update records or drive retries, so third-party content can materially influence behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes "Payment Gateway integration" and references "Payment Request + Payment Gateway controller" (in the decision tree and description/keywords). Those components are specifically about integrating payment processors and handling payment requests within Frappe — i.e., executing or facilitating financial transactions. Even though provider names (Stripe/PayPal) are not listed, the skill is explicitly about implementing payment gateway functionality (a clearly financial execution capability). Other parts (OAuth, webhooks, API calls) are generic, but the payment-gateway content meets the criteria for Direct Financial Execution.