Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

OpenAEC-Foundation/frappe-agent-validator

Name: frappe-agent-validator
Author: OpenAEC-Foundation

skills/source/agents/frappe-agent-validator/SKILL.md

npx skillsauth add OpenAEC-Foundation/ERPNext_Anthropic_Claude_Development_Skill_Package frappe-agent-validator

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Frappe Code Validator Agent

Validates Frappe/ERPNext code against the complete 61-skill knowledge base, catching errors BEFORE deployment.

Purpose: Catch errors before deployment, not after

When to Use This Agent

CODE VALIDATION TRIGGERS
|
+-- Code has been generated and needs review
|   "Check this Server Script before I save it"
|   --> USE THIS AGENT
|
+-- Code is causing errors
|   "Why isn't this working?"
|   --> USE THIS AGENT
|
+-- Pre-deployment validation
|   "Is this production-ready?"
|   --> USE THIS AGENT
|
+-- Code review for best practices
|   "Can this be improved?"
|   --> USE THIS AGENT
|
+-- Ops/deployment validation
|   "Is my bench setup correct?"
|   --> USE THIS AGENT

Validation Workflow

STEP 1: IDENTIFY CODE TYPE
  Client Script | Server Script | Controller | hooks.py |
  Jinja | Whitelisted | Bench/Ops | DocType JSON

STEP 2: RUN TYPE-SPECIFIC CHECKS
  Apply checklist for identified code type

STEP 3: CHECK UNIVERSAL RULES
  Error handling | Security | Performance | User feedback

STEP 4: VERIFY VERSION COMPATIBILITY
  v14/v15/v16 features | Deprecated patterns

STEP 5: VALIDATE AGAINST SKILL CATALOG
  Cross-reference with relevant frappe-* skills

STEP 6: GENERATE VALIDATION REPORT
  Critical errors | Warnings | Suggestions | Corrected code

See references/workflow.md for detailed steps.

Critical Checks by Code Type

Server Script Checks

| Check | Severity | Pattern | Fix | |-------|----------|---------|-----| | Import statements | FATAL | import X or from X import Y | Use frappe.utils.X() directly | | Wrong doc variable | FATAL | self.field or document.field | Use doc.field | | Wrong event for purpose | ERROR | Validation code in on_update | Move to validate event | | try/except blocks | WARNING | try: ... except: | Use frappe.throw() for validation | | No null checks | WARNING | doc.field.lower() | Add if doc.field: guard |

Client Script Checks

| Check | Severity | Pattern | Fix | |-------|----------|---------|-----| | Server-side API calls | FATAL | frappe.db.get_value() | Use frappe.call() | | Missing async handling | FATAL | let x = frappe.call() | Use callback or async/await | | No refresh after set_value | ERROR | frm.set_value() alone | Add frm.refresh_field() | | Using cur_frm | WARNING | cur_frm.doc.field | Use frm parameter | | No form state check | WARNING | Missing __islocal/docstatus | Add state guards |

Controller Checks

| Check | Severity | Pattern | Fix | |-------|----------|---------|-----| | self.* in on_update | FATAL | self.field = X in on_update | Use self.db_set() | | Circular save | FATAL | self.save() in lifecycle hook | Remove self.save() | | Missing super() | ERROR | Override without super() | Add super().method() | | v16 extend_doctype_class | ERROR | Missing super() in mixin | ALWAYS call super() first | | No type annotations | SUGGESTION | Missing type hints (v16) | Add type annotations |

hooks.py Checks

| Check | Severity | Pattern | Fix | |-------|----------|---------|-----| | Invalid Python syntax | FATAL | Syntax errors | Fix dict/list structure | | Wrong event names | FATAL | Typo in event name | Use correct event names | | Invalid function paths | FATAL | Wrong dotted path | Verify path exists | | v16-only hooks on v14/v15 | ERROR | extend_doctype_class | Use doc_events instead | | Missing required_apps | WARNING | No dependency declaration | Add all dependencies |

Ops/Bench Checks

| Check | Severity | Pattern | Fix | |-------|----------|---------|-----| | No migrate after hooks | FATAL | hooks.py changed, no migrate | Run bench migrate | | Wrong bench command syntax | ERROR | Incorrect CLI args | Check frappe-ops-bench | | Missing backup before upgrade | ERROR | Upgrade without backup | ALWAYS backup first | | Production without supervisor | WARNING | No process manager | Use supervisor/systemd | | No SSL in production | WARNING | HTTP-only deployment | Configure SSL/TLS |

DocType JSON Checks

| Check | Severity | Pattern | Fix | |-------|----------|---------|-----| | Missing mandatory fields | ERROR | No primary identifier | Add name or autoname | | Duplicate fieldnames | FATAL | Same fieldname twice | Use unique fieldnames | | Wrong fieldtype for data | WARNING | Text for short values | Use Data/Small Text | | No permissions defined | WARNING | Empty permission list | Add role permissions |

v16 Specific Validations

extend_doctype_class Pattern

# VALIDATE: Mixin class MUST call super()
class CustomSalesInvoice(SalesInvoice):
    def validate(self):
        super().validate()       # REQUIRED - never skip
        self.custom_validation()

    def on_submit(self):
        super().on_submit()      # REQUIRED - never skip
        self.custom_on_submit()

Type Annotations (v16 best practice)

# v16 recommended pattern
def get_customer_balance(customer: str) -> float:
    ...

# Validate: type hints on public API methods
@frappe.whitelist()
def process_order(order_name: str, action: str = "approve") -> dict:
    ...

Data Masking (v16)

# Validate: sensitive fields should use data masking
# Check if PII fields have mask_with configured in DocType JSON

Universal Validation Rules

Security Checks (ALL code types)

| Check | Severity | Description | |-------|----------|-------------| | SQL Injection | CRITICAL | Raw user input in SQL | | Permission bypass | CRITICAL | Missing permission checks | | XSS vulnerability | HIGH | Unescaped user input in HTML | | Sensitive data exposure | HIGH | Logging passwords/tokens | | Hardcoded credentials | CRITICAL | API keys in source code |

Performance Checks (ALL code types)

| Check | Severity | Description | |-------|----------|-------------| | Query in loop | HIGH | frappe.db.* inside for loop | | Unbounded query | MEDIUM | SELECT without LIMIT | | Unnecessary get_doc | LOW | get_doc when get_value suffices | | Missing index | MEDIUM | Filter on non-indexed field | | No batch commit | HIGH | Commit per record in bulk ops |

Error Handling Checks (ALL code types)

| Check | Severity | Description | |-------|----------|-------------| | Silent failures | HIGH | except: pass without logging | | Missing user feedback | MEDIUM | Errors not shown to user | | Generic error messages | LOW | "An error occurred" | | No rollback on failure | HIGH | Partial data on error |

Validation Report Format

ALWAYS generate reports in this format:

## Code Validation Report

### Code Type: [type]
### Target: [DocType / App / File]
### Event/Trigger: [if applicable]

### CRITICAL ERRORS (Must Fix)
| # | Line | Issue | Fix |
|---|------|-------|-----|

### WARNINGS (Should Fix)
| # | Line | Issue | Recommendation |
|---|------|-------|----------------|

### SUGGESTIONS (Nice to Have)
| # | Line | Suggestion |
|---|------|------------|

### Corrected Code
[If critical errors found, provide corrected version]

### Version Compatibility
| Version | Status | Notes |
|---------|--------|-------|
| v14 | [status] | |
| v15 | [status] | |
| v16 | [status] | |

### Referenced Skills
- frappe-skill-name: [what was validated against]

Validation Depth Levels

| Level | Checks | Use When | |-------|--------|----------| | Quick | Fatal errors only | Initial scan | | Standard | + Warnings + Security | Pre-deployment (DEFAULT) | | Deep | + Suggestions + Performance + Ops | Production review |

Skill Catalog Cross-Reference

This validator validates against ALL 61 frappe-* skills:

Syntax Validation (11 skills)

frappe-syntax-clientscripts, frappe-syntax-serverscripts, frappe-syntax-controllers, frappe-syntax-hooks, frappe-syntax-hooks-events, frappe-syntax-whitelisted, frappe-syntax-jinja, frappe-syntax-scheduler, frappe-syntax-customapp, frappe-syntax-doctypes, frappe-syntax-reports

Implementation Validation (12 skills)

frappe-impl-clientscripts, frappe-impl-serverscripts, frappe-impl-controllers, frappe-impl-hooks, frappe-impl-whitelisted, frappe-impl-jinja, frappe-impl-scheduler, frappe-impl-customapp, frappe-impl-reports, frappe-impl-workflow, frappe-impl-website, frappe-impl-ui-components, frappe-impl-integrations

Error Pattern Validation (7 skills)

frappe-errors-clientscripts, frappe-errors-serverscripts, frappe-errors-controllers, frappe-errors-hooks, frappe-errors-api, frappe-errors-permissions, frappe-errors-database

Core Pattern Validation (7 skills)

frappe-core-database, frappe-core-permissions, frappe-core-api, frappe-core-workflow, frappe-core-notifications, frappe-core-files, frappe-core-cache

Ops Validation (8 skills)

frappe-ops-bench, frappe-ops-deployment, frappe-ops-backup, frappe-ops-performance, frappe-ops-upgrades, frappe-ops-cloud, frappe-ops-app-lifecycle, frappe-ops-frontend-build

Testing Validation (2 skills)

frappe-testing-unit, frappe-testing-cicd

Quick Validation Commands

Server Script: 5-point check

Any import statements? --> FATAL
Any self. references? --> FATAL (use doc.)
Any try/except? --> WARNING (usually wrong)
Uses frappe.throw() for validation? --> GOOD
Uses doc.field for access? --> GOOD

Client Script: 5-point check

Any frappe.db.* calls? --> FATAL
Any frappe.get_doc() calls? --> FATAL
frappe.call() without callback? --> FATAL
Uses frm.doc.field for access? --> GOOD
Uses frm.refresh_field() after changes? --> GOOD

Controller: 5-point check

Modifying self.* in on_update? --> FATAL
Missing super().method() calls? --> ERROR
self.save() in lifecycle hook? --> FATAL
Imports at top of file? --> GOOD
Error handling for external calls? --> GOOD

hooks.py: 5-point check

Valid Python syntax? --> Check
Function paths exist? --> Check
v16-only hooks marked? --> Check
required_apps complete? --> Check
Fixture filters present? --> Check

Bench/Ops: 5-point check

bench migrate after changes? --> REQUIRED
Backup before destructive ops? --> REQUIRED
Scheduler enabled? --> Check
Workers running? --> Check
SSL configured (production)? --> Check

See references/checklists.md for complete checklists. See references/examples.md for validation examples.

OpenAEC-Foundation/frappe-agent-validator

skills/source/agents/frappe-agent-validator/SKILL.md

Use when reviewing or validating Frappe/ERPNext code against best practices and common pitfalls. Checks generated code before deployment, validates against all 61 frappe-* skills, catches v16 patterns (extend_doctype_class, type annotations), validates ops patterns (bench commands, deployment), and generates correction reports. Keywords: review code, check script, validate deployment, find bugs, code quality, check my code, is this correct, code review, before deploying, best practices check.

86 stars

development

Updated Apr 25, 2026

$ install --global

skillsauth

npx skillsauth add OpenAEC-Foundation/ERPNext_Anthropic_Claude_Development_Skill_Package frappe-agent-validator

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 25, 2026, 11:54 AM55.4s4 files scanned

SKILL.md

name:: frappe-agent-validator
description:: >
commands, deployment), and generates correction reports. Keywords:: review
license:: MIT
compatibility:: Claude Code, Claude.ai Projects, Claude API. Frappe v14-v16.
author:: OpenAEC-Foundation
version:: 2.0

Frappe Code Validator Agent

Validates Frappe/ERPNext code against the complete 61-skill knowledge base, catching errors BEFORE deployment.

Purpose: Catch errors before deployment, not after

When to Use This Agent

CODE VALIDATION TRIGGERS
|
+-- Code has been generated and needs review
|   "Check this Server Script before I save it"
|   --> USE THIS AGENT
|
+-- Code is causing errors
|   "Why isn't this working?"
|   --> USE THIS AGENT
|
+-- Pre-deployment validation
|   "Is this production-ready?"
|   --> USE THIS AGENT
|
+-- Code review for best practices
|   "Can this be improved?"
|   --> USE THIS AGENT
|
+-- Ops/deployment validation
|   "Is my bench setup correct?"
|   --> USE THIS AGENT

Validation Workflow

STEP 1: IDENTIFY CODE TYPE
  Client Script | Server Script | Controller | hooks.py |
  Jinja | Whitelisted | Bench/Ops | DocType JSON

STEP 2: RUN TYPE-SPECIFIC CHECKS
  Apply checklist for identified code type

STEP 3: CHECK UNIVERSAL RULES
  Error handling | Security | Performance | User feedback

STEP 4: VERIFY VERSION COMPATIBILITY
  v14/v15/v16 features | Deprecated patterns

STEP 5: VALIDATE AGAINST SKILL CATALOG
  Cross-reference with relevant frappe-* skills

STEP 6: GENERATE VALIDATION REPORT
  Critical errors | Warnings | Suggestions | Corrected code

See references/workflow.md for detailed steps.

Critical Checks by Code Type

Server Script Checks

Client Script Checks

Controller Checks

hooks.py Checks

Ops/Bench Checks

DocType JSON Checks

v16 Specific Validations

extend_doctype_class Pattern

# VALIDATE: Mixin class MUST call super()
class CustomSalesInvoice(SalesInvoice):
    def validate(self):
        super().validate()       # REQUIRED - never skip
        self.custom_validation()

    def on_submit(self):
        super().on_submit()      # REQUIRED - never skip
        self.custom_on_submit()

Type Annotations (v16 best practice)

# v16 recommended pattern
def get_customer_balance(customer: str) -> float:
    ...

# Validate: type hints on public API methods
@frappe.whitelist()
def process_order(order_name: str, action: str = "approve") -> dict:
    ...

Data Masking (v16)

# Validate: sensitive fields should use data masking
# Check if PII fields have mask_with configured in DocType JSON

Universal Validation Rules

Security Checks (ALL code types)

Performance Checks (ALL code types)

Error Handling Checks (ALL code types)

Validation Report Format

ALWAYS generate reports in this format:

## Code Validation Report

### Code Type: [type]
### Target: [DocType / App / File]
### Event/Trigger: [if applicable]

### CRITICAL ERRORS (Must Fix)
| # | Line | Issue | Fix |
|---|------|-------|-----|

### WARNINGS (Should Fix)
| # | Line | Issue | Recommendation |
|---|------|-------|----------------|

### SUGGESTIONS (Nice to Have)
| # | Line | Suggestion |
|---|------|------------|

### Corrected Code
[If critical errors found, provide corrected version]

### Version Compatibility
| Version | Status | Notes |
|---------|--------|-------|
| v14 | [status] | |
| v15 | [status] | |
| v16 | [status] | |

### Referenced Skills
- frappe-skill-name: [what was validated against]

Validation Depth Levels

Skill Catalog Cross-Reference

This validator validates against ALL 61 frappe-* skills:

Syntax Validation (11 skills)

Implementation Validation (12 skills)

Error Pattern Validation (7 skills)

frappe-errors-clientscripts, frappe-errors-serverscripts, frappe-errors-controllers, frappe-errors-hooks, frappe-errors-api, frappe-errors-permissions, frappe-errors-database

Core Pattern Validation (7 skills)

frappe-core-database, frappe-core-permissions, frappe-core-api, frappe-core-workflow, frappe-core-notifications, frappe-core-files, frappe-core-cache

Ops Validation (8 skills)

frappe-ops-bench, frappe-ops-deployment, frappe-ops-backup, frappe-ops-performance, frappe-ops-upgrades, frappe-ops-cloud, frappe-ops-app-lifecycle, frappe-ops-frontend-build

Testing Validation (2 skills)

frappe-testing-unit, frappe-testing-cicd

Quick Validation Commands

Server Script: 5-point check

Any import statements? --> FATAL
Any self. references? --> FATAL (use doc.)
Any try/except? --> WARNING (usually wrong)
Uses frappe.throw() for validation? --> GOOD
Uses doc.field for access? --> GOOD

Client Script: 5-point check

Any frappe.db.* calls? --> FATAL
Any frappe.get_doc() calls? --> FATAL
frappe.call() without callback? --> FATAL
Uses frm.doc.field for access? --> GOOD
Uses frm.refresh_field() after changes? --> GOOD

Controller: 5-point check

Modifying self.* in on_update? --> FATAL
Missing super().method() calls? --> ERROR
self.save() in lifecycle hook? --> FATAL
Imports at top of file? --> GOOD
Error handling for external calls? --> GOOD

hooks.py: 5-point check

Valid Python syntax? --> Check
Function paths exist? --> Check
v16-only hooks marked? --> Check
required_apps complete? --> Check
Fixture filters present? --> Check

Bench/Ops: 5-point check

bench migrate after changes? --> REQUIRED
Backup before destructive ops? --> REQUIRED
Scheduler enabled? --> Check
Workers running? --> Check
SSL configured (production)? --> Check

See references/checklists.md for complete checklists. See references/examples.md for validation examples.

Related Skills

OpenAEC-Foundation/frappe-impl-integrations

tools

VerifiedTrustedCommunity

Use when implementing OAuth providers, Connected Apps, Webhooks, Payment Gateways, or Data Import/Export in Frappe. Prevents authentication failures from wrong OAuth flow, missed webhook deliveries, and data corruption during bulk imports. Covers OAuth2 provider/client, Connected App DocType, Webhook DocType, Payment Gateway integration, Data Import, Data Export, frappe.integrations module. Keywords: OAuth, Connected App, Webhook, Payment Gateway, Data Import, Data Export, integration, API key, OAuth2, webhook trigger, connect to external service, OAuth setup, webhook configuration, import data, export data..

86SKILL.mdUpdated Apr 25, 2026

OpenAEC-Foundation/frappe-impl-integrations

OpenAEC-Foundation/frappe-impl-hooks

development

VerifiedTrustedCommunity

Use when implementing hooks.py configurations in a Frappe custom app. Covers step-by-step workflows for doc_events, scheduler_events, override/extend_doctype_class, permission hooks, extend_bootinfo, fixtures, asset injection, website hooks, and doctype_js. Prevents broken transactions, missed migrations, and multi-app conflicts. Keywords: hooks.py, doc_events, scheduler_events, override doctype,, how to add hook, when to use doc_events, scheduler setup, override existing behavior. extend doctype class, permission hook, scheduler job, fixtures, doctype_js, extend_bootinfo, website hooks.

86SKILL.mdUpdated Apr 25, 2026

OpenAEC-Foundation/frappe-impl-hooks

OpenAEC-Foundation/frappe-impl-customapp

development

VerifiedTrustedCommunity

Use when building a custom Frappe app from scratch. Covers bench new-app walkthrough, app structure decisions, adding DocTypes, hooks, patches, fixtures management, development workflow (bench migrate, build, clear-cache), testing, packaging, installing on another site, version management, and app dependencies for v14/v15/v16. Keywords: create custom app, new frappe app, bench new-app, app structure, module creation, doctype creation, fixtures, patches, deployment, packaging, data migration, patch file, patches.txt, migrate data between DocTypes, create new app from scratch.

86SKILL.mdUpdated Apr 25, 2026

OpenAEC-Foundation/frappe-impl-customapp

OpenAEC-Foundation/frappe-impl-controllers

development

VerifiedTrustedCommunity

Use when building Document Controllers in a custom Frappe app: file creation, lifecycle hooks, validation, autoname, submittable workflows, controller override, child table controllers, flags system, migration from hooks.py and Server Scripts. Keywords: how to implement controller, which hook to use, validate vs on_update, override controller, submittable document, autoname, flags, extend_doctype_class, controller testing, child table controller, which hook to use, when does validate run, how to override save, document lifecycle.

86SKILL.mdUpdated Apr 25, 2026

OpenAEC-Foundation/frappe-impl-controllers

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/OpenAEC-Foundation/ERPNext_Anthropic_Claude_Development_Skill_Package.git

# Copy into Claude Code skills folder (global)
cp -r ERPNext_Anthropic_Claude_Development_Skill_Package/skills/source/agents/frappe-agent-validator ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

OpenAEC-Foundation/ERPNext_Anthropic_Claude_Development_Skill_Package

86 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT