Cloudflare
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [Prompt Injection] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted project files and deploys them with high-privilege tools. \n
- Ingestion points: Processes external worker source code (src/simple.js), project configuration (wrangler.toml), and local customization files from
~/.claude/.\n - Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands within the code being deployed.\n
- Capability inventory: Possesses capabilities for remote deployment (wrangler deploy), package execution (npx), and local network requests (curl).\n
- Sanitization: Lacks any sanitization or validation of the processed files before they are utilized in commands.\n- [Remote Code Execution] (HIGH): The skill utilizes
npx wrangler, which fetches and executes code from the npm registry at runtime. This introduces a supply-chain risk where a compromised package could execute arbitrary code on the host system.\n- [Command Execution] (MEDIUM): The skill mandates acurlrequest tolocalhost:8888upon every invocation. While localhost is typically whitelisted, forcing interaction with local services introduces SSRF risks and can be exploited to interact with other local applications or bypass security controls.\n- [External Downloads] (MEDIUM): The skill relies on external documentation links and dynamic configuration loading from local paths that could be influenced by other malicious processes or files on the system.
Recommendations
- AI detected serious security threats
Audit Metadata