Frappecli
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: frappecli Version: 0.1.1 The provided skill bundle describes a CLI tool for managing Frappe Framework instances. The `SKILL.md` file details installation, configuration, and usage of the `frappecli` tool, which involves network communication and local file operations (upload/download) as expected for its stated purpose. There is no evidence of prompt injection against the agent, instructions for data exfiltration, malicious execution, persistence, or obfuscation within the analyzed files. The instructions are purely descriptive and functional for a legitimate tool.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with powerful ERP credentials, the CLI could change or delete records or trigger server-side actions.
The skill documents commands that can create, update, delete, and invoke RPC methods on a Frappe/ERPNext site. This is aligned with the stated CLI purpose, but these are high-impact operations on business systems.
frappecli doc create Customer ...
frappecli doc update Customer CUST-001 ...
frappecli doc delete Customer CUST-001
...
frappecli rpc myapp.api.process_data --args '{"doc_id":"DOC-001"}'Use least-privilege API keys where possible and confirm destructive or RPC commands before running them, especially against production.
Anyone or any process able to use those credentials may access or modify ERP data according to the key's permissions.
The skill requires Frappe API credentials stored in a local configuration file, including a production site example. This is expected for the integration, but those credentials may grant sensitive account access.
Create `~/.config/frappecli/config.yaml`:
sites:
production:
url: https://erp.company.com
api_key: your_api_key
api_secret: your_api_secretStore the config securely, restrict file permissions, avoid overly broad production keys, and rotate credentials if exposed.
The safety of the installed CLI depends on the external repository or Homebrew tap, which was not reviewed here.
The reviewed skill contains only instructions and points to external Homebrew/GitHub installation sources; the actual CLI code is not included in the provided artifacts.
brew tap pasogott/tap brew install frappecli ... git clone https://github.com/pasogott/frappecli.git cd frappecli && uv sync && uv pip install -e .
Review the upstream repository/tap, prefer pinned versions or trusted releases, and install only from sources you trust.