mcp-cloudflare
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The 'container_exec' tool enables arbitrary command execution within an isolated sandbox. Scenario 18 demonstrates cloning remote repositories and installing packages, which allows for the execution of untrusted code.
- COMMAND_EXECUTION (HIGH): The 'd1_database_query' tool allows for raw SQL execution. Without explicit sanitization described in the instructions, this poses a risk of SQL injection when handling user-provided data or logs.
- EXTERNAL_DOWNLOADS (HIGH): The sandbox environment facilitates downloading and executing code from external URLs via tools like git and npm (Scenario 18).
- DATA_EXFILTRATION (MEDIUM): The 'workers_get_worker_code' tool provides access to proprietary source code and environment variables. This data could be exfiltrated using the network capabilities present in the container sandbox.
- PROMPT_INJECTION (LOW): The skill possesses a significant surface for indirect prompt injection by ingesting untrusted data from logs and web pages. 1. Ingestion points: 'get_url_html_content', 'query_worker_observability'. 2. Boundary markers: Absent. 3. Capability inventory: 'container_exec', 'd1_database_query', and resource management (KV/R2/D1). 4. Sanitization: Absent; the skill relies solely on manual human confirmation for write operations.
Recommendations
- AI detected serious security threats
Audit Metadata