Frappe MCP

The `definitions/generic_task.json` skill is highly suspicious due to its broad capabilities and the inclusion of a 'custom' action that directly calls `run_doc_method` with user-controlled `doctype`, `name`, `method`, and `args`. This design creates a severe prompt injection vulnerability, potentially leading to Remote Code Execution (RCE) or arbitrary data manipulation within the ERPNext/Frappe environment if an attacker can craft inputs to the AI agent. Additionally, `definitions/bulk_operation.json` allows bulk create, update, delete, import, and export operations on any DocType, which, while having some guardrails, presents a significant risk for mass data manipulation or exfiltration if not rigorously controlled by underlying permissions.