Frappe MCP

Security checks across malware telemetry and agentic risk

Overview

This ERPNext skill appears purpose-aligned but needs Review because it exposes broad, high-impact ERP record changes and custom method execution with limited scoping in the artifacts.

Install only with a trusted ERPNext/MCP server and a least-privileged ERP account. Before production use, restrict or disable generic_task and bulk_operation, add DocType and method allowlists, require previews and explicit confirmation for any update/delete/export/import/submit/cancel/payment action, and verify backups and audit logging are enabled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (25)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The custom action exposes `run_doc_method` with user-controlled `options.method` and `options.args`, which effectively enables arbitrary document-method invocation through a broadly scoped 'generic task' skill. In context, this is more dangerous because the skill is designed as a catch-all router with broad triggers and dynamic doctype handling, increasing the chance that sensitive or destructive backend methods can be reached without narrowly scoped user intent or explicit allowlisting.

Intent-Code Divergence

Low

Confidence: 88% confidence
Finding: The manifest documents `custom` as just another action value without clearly disclosing that it maps to arbitrary document-method execution. This mismatch can mislead users, reviewers, or higher-level orchestration into treating the skill as ordinary CRUD routing when it actually exposes a much broader execution surface.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation explicitly advertises a `bulk_operation` skill capable of bulk create/update/delete, but it provides no warning about destructive actions, no mention of dry-run or confirmation requirements, and no guidance on authorization boundaries. In an agent skill ecosystem where natural-language triggers can invoke workflows, omitting these cautions increases the chance of unsafe mass modification or deletion being exposed or used without adequate user awareness.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The `complete_sales_workflow` is described as a full Quotation → SO → Invoice → Payment chain, which can create multiple business records and record financial transactions, yet the documentation gives no warning about approval, validation, or confirmation checkpoints. In an automated skill framework, this can normalize one-shot execution of financially sensitive workflows and increase the risk of accidental or unauthorized end-to-end transaction processing.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger set is broad and generic for a high-impact utility that can create, update, delete, import, and export arbitrary DocTypes. This increases the chance of accidental or low-friction invocation of destructive or sensitive operations, especially because phrases like 'import data', 'export data', and 'bulk operation' are common and not scoped to a specific safety context.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases are generic business-language expressions such as 'complete sales workflow' and 'full sales process', which increases the chance the skill is invoked in situations where the user did not intend a multi-step financial automation. In this skill's context, accidental activation is more dangerous because the workflow creates multiple transactional records, including invoices and payments, rather than performing a read-only action.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill is designed to create a quotation, sales order, invoice, and payment entry, and it exposes an 'auto_submit' option, but there is no explicit warning or mandatory confirmation for these data-changing financial actions. In a sales/accounting environment, unintended submission can create binding commercial records, distort receivables, and produce accounting inconsistencies or unauthorized payment records.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases are generic CRM commands that could match ordinary conversation and cause this skill to activate when the user did not clearly intend customer creation. Because the workflow performs a state-changing action via create_document, ambiguous invocation increases the risk of unintended record creation and downstream data integrity issues.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrase "bill customer" is broad, generic business language that could match user requests outside the intended scope of creating a sales invoice. In an agent environment, this raises the chance of accidental invocation and unintended financial-document creation, especially because the skill can directly create invoice records.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases are generic action phrases like 'create item', 'add item', and 'new product', which can easily overlap with ordinary user conversation and cause unintended activation of a skill that performs a state-changing operation. Because this skill directly creates Item records, ambiguous invocation increases the risk of unauthorized or accidental business data creation.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The description says the skill will 'Create a new item/product with inventory and pricing details' but does not clearly warn that it performs a persistent write to business records in the Item DocType. Insufficient disclosure around side effects can mislead users or orchestrators into treating the skill like an informational helper, increasing the chance of unintended data modification.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases are short and generic (e.g., 'create lead', 'new lead'), which increases the chance the skill is invoked from ordinary conversation without clear user intent to modify CRM data. Because this skill performs a write action by creating records, unintended activation could result in unauthorized or accidental lead creation, data pollution, or workflow disruption.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are generic and likely to match ordinary user requests such as 'create project' or 'start project' without enough disambiguation. In an agent environment, this can cause the skill to activate unintentionally and create a Project record, leading to unauthorized or accidental state-changing actions in the connected system.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrase "request purchase" is broad enough to match ordinary procurement discussion rather than a clear, intentional invocation. In this skill, accidental activation is more dangerous because the workflow proceeds to create a Purchase Order document, which can initiate downstream business processes and potentially lead to unauthorized or erroneous orders.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The description omits that the skill creates a real procurement record with business and approval implications, which can mislead users or orchestrators about the sensitivity of the action. In this context, the risk is amplified because the workflow directly calls create_document for a Purchase Order and includes optional submission capability, making the action operationally significant.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger phrase "process customer order" is broad, generic business language that could match routine user requests not specifically intended to invoke this skill. Because the skill creates persistent Sales Order records, unintended invocation could cause unauthorized or accidental state changes in the ERP system.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The description says the skill will create a sales order but does not clearly warn that it performs state-changing actions in business systems and may submit records. This increases the chance that users or orchestrators invoke it without understanding that it can create official transactional documents with financial and operational consequences.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are generic procurement phrases with no visible scoping to authorized roles, explicit confirmation, or contextual constraints, so the skill may activate for loosely related user requests and initiate supplier creation workflows unintentionally. In a business system, unintended vendor creation can pollute master data, create fraudulent records, or assist social-engineering-driven procurement abuse if an agent over-invokes the skill.

Vague Triggers

High

Confidence: 97% confidence
Finding: The trigger list contains highly generic phrases like 'process', 'execute', 'handle this', and 'anything else', making accidental or overly broad invocation likely. In this skill's context, that is especially risky because the skill can read, update, delete, submit, cancel, and run custom methods, so an imprecise match could route ordinary user conversation into high-impact operations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The manifest advertises destructive and state-changing actions such as update, delete, submit, cancel, and custom without prominently warning about their consequences. In a generic utility skill, understated risk messaging increases the likelihood of unsafe invocation by users or calling agents that may assume these are routine low-risk operations.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrases are broad enough to match ordinary accounting conversation, increasing the chance that the skill activates when the user did not intend to initiate a financial transaction workflow. In this skill's context, unintended invocation is especially risky because the workflow can create a Payment Entry that affects financial records, so accidental activation could lead to unauthorized or erroneous payment records.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The description says the skill processes payments but does not clearly disclose that it creates a Payment Entry in the system, which can modify authoritative financial records. That lack of transparency increases the chance of misuse or accidental invocation because users may not understand that the action is state-changing rather than informational.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list includes very generic phrases such as "search", "find", and "lookup", which are likely to match ordinary user requests and cause this skill to activate when a more specific or appropriate skill should handle the request. In an agent environment, broad trigger collisions can lead to unintended tool use, data overexposure through document search, and reduced control over when enterprise records are queried.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger set is broad and action-oriented, especially including generic phrases like "stock entry" and related inventory terms, which can cause the skill to activate in ambiguous contexts. Because this skill creates inventory-affecting documents, overbroad activation increases the chance of unintended stock movements or draft transactions being created from loosely related user requests.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The manifest clearly enables creation of a Stock Entry, which is an inventory-affecting business action, but it provides no user-facing warning or confirmation requirement. In this context, silent execution is risky because stock entries can alter quantities, valuations, and downstream operational records if invoked accidentally or through ambiguous prompting.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal