cloudflare-tunnel-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly directs the agent to copy and insert the raw CLOUDFLARE_TUNNEL_TOKEN into the .env (via an "Edit" tool) and includes commands that read/decode that token, which requires the LLM to handle and potentially emit the secret verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill pulls and runs the external Docker image cloudflare/cloudflared:latest (docker.io/cloudflare/cloudflared:latest) at runtime via docker compose, which fetches and executes remote code that the skill requires for operation.