Skills
skills/jezweb/claude-skills/cloudflare-worker-base/Gen Agent Trust Hub

cloudflare-worker-base

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
  • Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection (Category 8).
  • Ingestion points: The cloudflare-debug agent ingests untrusted data via wrangler tail (logs) and curl responses. The deploy command ingests code changes via git diff to generate commit messages.
  • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when processing this external data.
  • Capability inventory: Multiple agents possess high-privilege capabilities: wrangler deploy (production deployment in cloudflare-deploy.md), git push (repository modification in deploy.md), and wrangler d1 execute (database manipulation in d1-migration.md).
  • Sanitization: No sanitization or validation of the ingested external content is performed before it is processed by the agent, allowing an attacker to potentially influence high-privilege actions.
  • Credentials Unsafe (HIGH): The cloudflare-debug.md agent includes commands to explicitly list and identify secrets.
  • Evidence: Running npx wrangler secret list and grep -r "env." src/ exposes secret names and their locations within the codebase. While the agent has a 'Do NOT' rule against exposing values, the exposure of keys and usage patterns to the model remains a high-risk data exposure (Category 2).
  • Command Execution (HIGH): Multiple components execute powerful CLI tools with significant side effects. The cloudflare-deploy.md agent and deploy.md command execute wrangler deploy to modify production environments. The d1-migration.md agent executes database commands, and deploy.md performs git writes.
  • External Downloads (MEDIUM): The init.md and worker-scaffold.md scripts perform npm install for various packages. While these packages (Hono, Vite, Wrangler) are from reputable sources, the use of unverified, future-dated version numbers which do not currently exist is highly suspicious (Category 7).
  • Metadata Poisoning (MEDIUM): The README and configuration files reference software versions that are significantly ahead of the current stable releases (e.g., Wrangler 4.54.0 vs current v3.x, Vite 7.3.0 vs current v6.x). This misleading metadata could lead to unexpected behavior or reliance on hallucinated features.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 08:33 PM