bench-commands

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains explicit plaintext passwords and examples that pass secrets as command-line arguments and in config files (e.g., --admin-password admin123, --mariadb-root-password mypassword, site_config.json with "db_password"), which would require the LLM to emit secret values verbatim if asked to instantiate those examples.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill includes commands that fetch and install apps from public, user-generated sources (e.g., "bench get-app https://github.com/frappe/erpnext"), so the agent may ingest and act on untrusted third-party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill contains a runtime command that fetches and installs remote code — "bench get-app https://github.com/frappe/erpnext" — which downloads and brings external repository code into the runtime where it can be executed, so it is a required runtime dependency that can execute remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly includes sudo commands and production setup steps (bench setup production/systemd/nginx, sudo supervisorctl/systemctl restarts, certbot, etc.) that create/modify system service files, restart services, and alter system-wide configuration, so it encourages changing the machine state and requiring elevated privileges.