Skills
skills/cloudflare/cloudflare-docs/building-mcp-server-on-cloudflare/Gen Agent Trust Hub

building-mcp-server-on-cloudflare

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs users to download and execute code templates from the cloudflare GitHub organization (cloudflare/ai/demos/). As 'cloudflare' is not included in the 'Trusted GitHub Organizations' list, this constitutes an unverifiable remote dependency.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill references the @modelcontextprotocol/inspector package and imports from agents/mcp. The latter is not provided within the skill package, and the 'modelcontextprotocol' organization is not in the trusted whitelist.
  • [COMMAND_EXECUTION] (LOW): The skill utilizes npm, npx, and the wrangler CLI for setup, local development, and deployment.
  • [PROMPT_INJECTION] (LOW): Category 8: Indirect Prompt Injection surface. The query_db tool example demonstrates an unsafe pattern by accepting raw SQL strings.
  • Ingestion points: The sql argument in the query_db tool defined in SKILL.md.
  • Boundary markers: Absent; the tool accepts free-text strings without delimiters or validation.
  • Capability inventory: Full read/write access to the Cloudflare D1 database via this.env.DB.prepare(sql).all().
  • Sanitization: Absent; the documentation provides an example that avoids parameterized queries, making it vulnerable to exploitation by malicious user inputs.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:11 PM