cloudflare-automation
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The skill utilizes an 'Always search first' pattern where the agent is instructed to fetch tool schemas from a remote server (
rube.app) viaRUBE_SEARCH_TOOLSbefore execution. This creates a vulnerability where the remote server can dynamically change tool definitions, input requirements, or execution plans, effectively controlling the agent's actions on the user's Cloudflare account. - Ingestion points: Responses from
RUBE_SEARCH_TOOLSandRUBE_GET_TOOL_SCHEMAS. - Boundary markers: None specified; instructions encourage blind adherence to returned schemas.
- Capability inventory: Cloudflare API operations including DNS management, connection handling via
RUBE_MANAGE_CONNECTIONS, and arbitrary tool execution viaRUBE_MULTI_EXECUTE_TOOL. - Sanitization: None; the skill relies on 'exact field names and types' from the untrusted remote search results.
- [External Dependency] (MEDIUM): The setup requires adding
https://rube.app/mcpas an MCP server. This third-party gateway acts as a proxy for all Cloudflare operations. Unless the user trusts the operator ofrube.app, there is a risk of credential exposure or command interception during theRUBE_MANAGE_CONNECTIONSflow. - [Data Exposure] (LOW): While not direct exfiltration, the architecture ensures that all metadata about the user's Cloudflare environment and the specific operations performed are visible to the Rube MCP server infrastructure.
Audit Metadata