building-mcp-server-on-cloudflare
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): Vulnerable SQL execution pattern in documentation. Evidence: In SKILL.md, the 'query_db' tool example accepts a raw string parameter 'sql' and executes it directly against the Cloudflare D1 database using 'this.env.DB.prepare(sql).all()'. Risk: This pattern is a direct SQL injection vulnerability allowing arbitrary database manipulation or data theft.
- [PROMPT_INJECTION] (HIGH): Indirect prompt injection surface via tool parameters. Evidence: Tool parameters in SKILL.md are passed to sensitive functions without sanitization or boundary markers. Evidence Chain: 1. Ingestion: 'sql' string parameter in 'query_db' tool (SKILL.md). 2. Boundary markers: Absent. 3. Capability: Full D1 database read/write access. 4. Sanitization: Absent.
- [DATA_EXFILTRATION] (MEDIUM): Insecure CORS configuration. Evidence: In references/troubleshooting.md, the skill suggests setting 'Access-Control-Allow-Origin' to '*', which allows any origin to access the worker and could lead to unauthorized data exposure.
- [EXTERNAL_DOWNLOADS] (LOW): Use of trusted external dependencies. Evidence: The skill uses 'npm create cloudflare' and '@modelcontextprotocol/inspector'. Status: These sources are within the trusted scope (Cloudflare, ModelContextProtocol), reducing the severity of the download itself to LOW.
Recommendations
- AI detected serious security threats
Audit Metadata