cloudflare-service-token-setup
Fail
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: Hardcoded Cloudflare Access Client ID and Client Secret hex strings are exposed in the documentation's example outputs and configuration instructions.\n- [DATA_EXFILTRATION]: The skill directs the agent to transmit sensitive authentication headers (Client ID and Secret) to the domain 'temet.ai', which is not a recognized trusted vendor resource or well-known service.\n- [COMMAND_EXECUTION]: The skill uses the 'Bash' tool to execute local scripts (e.g., cf-service-token.sh), source environment files, and append sensitive credentials to system files.\n- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface by reading untrusted data from the '.env' file. Ingestion points: /home/dawiddutoit/projects/network/.env; Boundary markers: Absent; Capability inventory: Bash, curl, and Edit tools; Sanitization: Absent.
Recommendations
- AI detected serious security threats
Audit Metadata