cf-proxy

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly says it will collect Cloudflare credentials and produce deployment configs and the final VLESS connection URI (including generated UUID/admin password), which requires the agent to include secret values verbatim in commands/configs and outputs.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (medium risk: 0.65). The GitHub repo is from an unfamiliar user and likely contains scripts that download/execute code and automate domain binding (which can hide malicious payloads), and the placeholder "your-domain" could represent an attacker-controlled endpoint — while GitHub is legitimate, running unreviewed repo scripts is risky.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow explicitly downloads and deploys edgetunnel code from a public GitHub repository ("Downloads edgetunnel — fetches the worker code from GitHub (cmliu/edgetunnel)"), meaning it ingests untrusted third‑party content that can change runtime behavior when executed or deployed.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly downloads and deploys remote worker code from GitHub at runtime (e.g., https://github.com/cmliu/edgetunnel and the skill repo https://github.com/LewisLiu007/cf-proxy), so fetched content is a required dependency that is executed as part of deployment.