cloudflare-workflows
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALPROMPT_INJECTION
Full Analysis
- Prompt Injection (LOW): The skill is susceptible to indirect prompt injection (Category 8) due to its handling of external data.
- Ingestion points: Untrusted user data is ingested via
req.json()intemplates/workflow-with-events.ts(fields:description,comments). - Boundary markers: There are no boundary markers or instructions to the agent to ignore embedded instructions within these fields.
- Capability inventory: The skill utilizes
fetch()for external API calls andD1Databasefor persistence, which could be leveraged if instructions are successfully injected. - Sanitization: The templates interpolate raw user input directly into email bodies and API request payloads without sanitization or escaping.
- External Downloads (SAFE): The project's dependencies (
wrangler,@cloudflare/workers-types) belong to trusted organizations (Cloudflare). No untrusted external scripts are downloaded or executed at runtime. [TRUST-SCOPE-RULE] applied to Cloudflare-scoped packages. - Data Exfiltration (SAFE): While the skill makes network requests, they are directed to common placeholders (
api.example.com) or specific payment gateways necessary for the stated workflow logic. No access to sensitive local files (like.aws/credentials) or environment secrets was detected. - Obfuscation (SAFE): No evidence of Base64 encoding, zero-width characters, or homoglyph-based obfuscation was found in the analyzed files. The automated scanner's flag for 'req.url.in' is likely a false positive triggered by the standard
req.urlproperty access in TypeScript.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata