The Agent Skills Directory

REMOTE_CODE_EXECUTION (HIGH): The skill features a 'Super Admin' tier with tools like 'container_exec' and 'container_file_write'. Scenarios explicitly describe cloning external git repositories and executing 'npm install', which allows for the execution of untrusted code from remote sources within the execution environment.
COMMAND_EXECUTION (HIGH): Direct shell command execution is available via 'container_exec'. While intended for a containerized sandbox, this provides a mechanism for arbitrary operations that could be exploited to manipulate the agent or interact with other tools.
DATA_EXFILTRATION (MEDIUM): The skill can access sensitive Worker source code ('workers_get_worker_code') and perform outbound network requests ('get_url_html_content'). This combination creates a risk where source code or secrets extracted from the Cloudflare environment could be exfiltrated to an external endpoint via the agent's browsing tools.
PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted content from web pages, logs, and code. Ingestion points: 'get_url_html_content', 'get_url_markdown', 'workers_builds_get_build_logs', 'workers_get_worker_code'. Boundary markers: No specific delimiters or safety instructions for handling external data are implemented to prevent the model from obeying instructions hidden in logs or code. Capability inventory: 'container_exec', 'WebFetch', 'd1_database_query', 'kv_namespace_delete'. Sanitization: The skill lacks explicit sanitization or validation routines for external data before it is processed by the agent.
EXTERNAL_DOWNLOADS (LOW): Recommends 'wrangler' (trusted source) and cloning user-provided repositories (untrusted). Per [TRUST-SCOPE-RULE], wrangler itself is low risk, but cloning arbitrary repositories remains a security concern.

cloudflare