Security Audit

frappecli

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

frappecli received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 1 critical, 3 high, 1 medium, and 0 low severity. Key findings include Arbitrary Command Execution via `bash` tool, Broad System Access via `bash` tool, Potential for Data Exfiltration via `bash` and `frappecli`.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

18%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

3 findings

Shell Execution

5 findings

Dynamic Code

3 findings

Excessive Permissions

2 findings

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Arbitrary Command Execution via `bash` tool The skill manifest declares `bash` as a tool, allowing the LLM to execute arbitrary shell commands. This creates a critical command injection vulnerability if user input is incorporated into `bash` commands without proper sanitization. An attacker could craft malicious input to execute arbitrary commands on the host system. Avoid using `bash` as a general-purpose tool if specific, safer tools can achieve the desired functionality. If `bash` is strictly necessary, implement robust input sanitization and validation for all user-provided arguments before constructing and executing shell commands. Consider using a sandboxed environment for `bash` execution.	LLM	SKILL.md
HIGH	Broad System Access via `bash` tool The skill's reliance on the `bash` tool grants it broad and potentially excessive permissions, allowing arbitrary command execution on the host system. This level of access is generally not required for specific skill functionalities and significantly increases the attack surface. The `frappecli` tool itself, when configured with API keys, can perform extensive operations (CRUD, file management, RPC) on an ERP system, which also represents broad access to sensitive business data. Restrict tool access to the absolute minimum necessary. If `bash` is used, ensure it operates within a highly constrained and sandboxed environment. For `frappecli`, ensure that the API keys used have the least privilege required for the skill's intended operations.	LLM	SKILL.md
HIGH	Potential for Data Exfiltration via `bash` and `frappecli` The combination of the `bash` tool and the `frappecli` utility creates a high risk of data exfiltration. An attacker exploiting a command injection vulnerability (SS-LLM-003) could use `bash` to read sensitive files (e.g., `~/.config/frappecli/config.yaml` containing API keys/secrets) or use `frappecli` commands (e.g., `frappecli doc list`, `frappecli file download`) to extract data from the connected Frappe instance. This extracted data could then be transmitted to an external server using `curl` or similar `bash` utilities. Implement strict input validation and sanitization to prevent command injection. Restrict network egress from the skill's execution environment. Avoid storing sensitive credentials directly in files accessible by the skill if possible, or ensure they are protected with appropriate file permissions and access controls.	LLM	SKILL.md:30
HIGH	API Keys and Secrets Stored in Accessible Configuration File The `frappecli` tool stores `api_key` and `api_secret` in `~/.config/frappecli/config.yaml`. While this is a common practice for CLI tools, the presence of the `bash` tool in the skill's manifest means that an attacker who achieves command injection could easily read this configuration file and harvest these sensitive credentials. These credentials grant access to the Frappe instance. Protect the `config.yaml` file with strict file system permissions. Consider using environment variables or a secure secrets management system instead of plaintext files for credentials, especially in automated environments. Ensure robust command injection prevention to protect against unauthorized file access.	LLM	SKILL.md:30
MEDIUM	Unpinned Dependencies and Third-Party Source Installation The installation instructions recommend `brew install frappecli` from a third-party tap (`pasogott/tap`) and direct source installation via `git clone` followed by `uv sync && uv pip install -e .`. Neither method specifies a fixed version or commit hash, meaning future updates to the Homebrew tap or the GitHub repository could introduce malicious code without explicit review. The `uv sync` command also typically installs the latest compatible versions of dependencies if not explicitly pinned in a `requirements.txt` or `pyproject.toml`. Pin all dependencies to specific versions or commit hashes. For Homebrew, specify a version if available, or consider auditing the tap. For `git clone`, specify a commit hash (`git clone <repo> && cd <repo> && git checkout <commit_hash>`). Ensure `requirements.txt` or `pyproject.toml` explicitly pins all Python dependencies. Regularly audit third-party dependencies and sources.	LLM	SKILL.md:14

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/0500140a36ec54bd.svg)](https://skillshield.io/report/0500140a36ec54bd)