docker-deployment
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (HIGH): The file
references/cf-tunnel.mdinstructs the user to download a binary package (cloudflared-linux-amd64.deb) from an external GitHub repository and install it using root privileges. Since thecloudflareorganization is not in the predefined trusted whitelist, this constitutes an untrusted remote code execution vector. (Verdict downgraded to MEDIUM due to primary skill purpose).\n- [Privilege Escalation] (HIGH): The skill makes extensive use ofsudofor installing software, creating system services, and managing system configurations. These operations grant the agent or user significant control over the host system. (Verdict downgraded to MEDIUM due to primary skill purpose).\n- [Data Exposure & Exfiltration] (HIGH): The skill manages highly sensitive files including private keys (nginx.key) and tunnel authentication certificates (~/.cloudflared/cert.pem). While documentation includes warnings about.gitignore, interaction with these paths by an agent presents an exposure risk. (Verdict downgraded to MEDIUM due to primary skill purpose).\n- [Persistence Mechanisms] (HIGH): The skill involves installingcloudflaredas a system service (sudo cloudflared service install) and enabling it viasystemctl, which ensures the software persists across reboots. (Verdict downgraded to MEDIUM due to primary skill purpose).\n- [Indirect Prompt Injection] (LOW): The skill establishes an attack surface for indirect prompt injection.\n - Ingestion points: Public internet traffic entering the system via the Cloudflare Tunnel ingress rules defined in
cf-tunnel.md.\n - Boundary markers: Absent; there are no instructions to the agent to treat ingress traffic as untrusted or to isolate it from instruction processing.\n
- Capability inventory: The skill possesses the capability to execute shell commands with
sudo, install binaries, and modify system services.\n - Sanitization: No sanitization or validation logic is provided for the data processed through the tunnel.
Audit Metadata