building-ai-agent-on-cloudflare
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The skill references 'wrangler' and 'npm create cloudflare', which are official Cloudflare development tools. These are recognized as trusted external sources, resulting in a low severity rating for the download process.
- [PROMPT_INJECTION] (LOW): The agent architecture ingests untrusted data from WebSockets and processes it using AI models and SQL queries without explicit sanitization, creating an indirect prompt injection surface. 1. Ingestion points: 'userMessage' in handleChat (SKILL.md) and 'message' in onChatMessage (SKILL.md). 2. Boundary markers: Absent; user input is interpolated into AI message arrays without delimiters. 3. Capability inventory: AI model execution (env.AI.run), SQL database operations (this.sql), and task scheduling (this.schedule). 4. Sanitization: Absent; the example code does not demonstrate validation or escaping of user input.
- [SAFE] (SAFE): The automated scanner alert for 'this.ca' is identified as a false positive likely triggered by code fragments such as 'this.cancelSchedule'.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata