cloudflare-api
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides numerous examples of shell scripts and CLI commands that use curl, jq, and bash loops to interact with the Cloudflare API for zone management, DNS updates, and firewall rules.
- [EXTERNAL_DOWNLOADS]: The skill documents interactions with the official Cloudflare API at
https://api.cloudflare.com/client/v4/. This is a well-known service and the interactions are standard for the skill's functionality. - [PROMPT_INJECTION]: The skill ingests data from external files such as
dns-records.csvandredirects.csvto automate API calls. This represents an indirect prompt injection surface where maliciously crafted data in these files could influence the generated API requests. However, the logic provided (e.g., usingjson.dumpsin Python) follows common automation patterns and does not present an immediate threat to the agent environment itself. - [CREDENTIALS_UNSAFE]: The skill correctly advises users to store API tokens in environment variables (e.g.,
CLOUDFLARE_API_TOKEN) rather than hardcoding them in scripts, following security best practices.
Audit Metadata