The Agent Skills Directory

[DATA_EXFILTRATION] (CRITICAL): The skill reads a sensitive credential file (~/cloudflare_global_key) in scripts/cf-api.sh and transmits its contents (API tokens/keys) to a non-whitelisted external domain (api.cloudflare.com) via curl. In an assume-malicious posture, this sequence of sensitive file access followed by a network send to a non-trusted domain constitutes exfiltration.
[PROMPT_INJECTION] (HIGH): The skill is susceptible to indirect prompt injection. It ingests untrusted data from the Cloudflare API (such as firewall event logs, analytics, and DNS record content) and possesses high-privilege write/execute capabilities, including modifying DNS records and deploying serverless Workers. An attacker could embed malicious instructions in these metadata fields that the agent may then obey.
Ingestion points: scripts/analytics.sh (firewall events), scripts/zones.sh (zone details), scripts/dns-export.sh (DNS records).
Boundary markers: Absent. The scripts do not use delimiters or specific instructions to ensure the agent ignores instructions found within API responses.
Capability inventory: Full write and deployment access via scripts/dns.sh, scripts/workers.sh, scripts/firewall.sh, and scripts/zone-settings.sh.
Sanitization: Absent. Data is parsed using jq but is not sanitized to remove potential injection patterns before reaching the agent context.
[CREDENTIALS_UNSAFE] (HIGH): The skill uses a hardcoded sensitive file path (~/cloudflare_global_key) to store and retrieve long-lived administrative API credentials, exposing them to any process that can access the home directory.
[COMMAND_EXECUTION] (MEDIUM): The scripts extensively use shell commands like curl and jq to perform operations. While common for infrastructure management, this orchestration layer increases the attack surface for command injection if identifiers like zone_id or script_name are maliciously crafted.

cloudflare