Skills
skills/commandcodeai/agent-skills/building-mcp-server-on-cloudflare/Gen Agent Trust Hub

building-mcp-server-on-cloudflare

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • REMOTE_CODE_EXECUTION (HIGH): The skill provides a 'copy-paste' code example for a database tool that is vulnerable to SQL injection.
  • Evidence: In SKILL.md, the query_db tool implementation: this.env.DB.prepare(sql).all(). This takes a raw string sql directly from the tool input and executes it against the Cloudflare D1 database.
  • Ingestion points: The sql parameter in the query_db tool definition.
  • Boundary markers: Absent; the input is interpolated directly into the database execution context.
  • Capability inventory: Full read/write access to the linked Cloudflare D1 database.
  • Sanitization: Absent; it relies only on a Zod string type check, which does not prevent malicious SQL commands.
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill instructs users to download and execute templates from external repositories that are not on the pre-approved trusted list.
  • Evidence: SKILL.md and references/examples.md suggest using npm create cloudflare@latest with templates such as cloudflare/ai/demos/remote-mcp-github-oauth.
  • Status: While Cloudflare is a known entity, it is not within the specified [TRUST-SCOPE-RULE] organizations, elevating this from LOW to MEDIUM due to the 'npm create' execution pattern.
  • COMMAND_EXECUTION (LOW): The skill requires the execution of multiple CLI tools and local servers to function.
  • Evidence: Frequent use of npm start, npx wrangler deploy, and npx @modelcontextprotocol/inspector@latest.
  • Context: These are standard development workflows for the Cloudflare platform, but they involve running arbitrary code from the npm registry.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 11:37 PM