Cloudflare Manager
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill frequently spawns the
curlbinary usingspawnSyncto handle multipart and binary data for the Cloudflare API. - This pattern is found in
scripts/workers.tsfor deploying worker scripts andscripts/r2-storage.tsfor uploading and downloading objects. - While the scripts include basic validation (e.g., regex for worker names), the use of external binaries for network operations is a sensitive capability.
- [DATA_EXFILTRATION]: The skill reads sensitive local files to perform its primary functions.
- It accesses the
.envfile in the project root to retrieve theCLOUDFLARE_API_KEYfor authentication. - It reads local application code and assets to deploy them to Cloudflare Workers and R2 buckets.
- All network communication is directed to Cloudflare's official API (
api.cloudflare.com), which is a well-known and trusted service. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to how it handles data retrieved from remote storage.
- Ingestion points: Data is fetched from Cloudflare KV namespaces in
scripts/kv-storage.tsand R2 buckets inscripts/r2-storage.tsand then displayed or saved locally. - Boundary markers: The skill does not provide any boundary markers or instructions to the agent to disregard potential commands embedded in the fetched data.
- Capability inventory: The skill possesses file-write, network-send (fetch/curl), and subprocess-execution capabilities, making an injection potentially impactful.
- Sanitization: There is no sanitization or validation of the content fetched from remote storage before it is placed into the agent's context.
Audit Metadata