MCP OAuth Cloudflare
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE] (SAFE): The skill provides a robust template for OAuth 2.0 authentication. It includes explicit security checks such as CSRF token validation and state token verification to prevent replay attacks.
- [DATA_EXPOSURE] (SAFE): Environment variables for secrets (e.g., GOOGLE_CLIENT_SECRET) are defined as types in
env.d.tsfor the user to configure securely via Cloudflare's secret management. No actual credentials or tokens are hardcoded. - [EXTERNAL_DOWNLOADS] (SAFE): Dependencies are standard, versioned NPM packages. The core provider
@cloudflare/workers-oauth-provideris a library designed for this specific use case on the Cloudflare platform. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill ingests user profile data from Google (email, name). While this is an untrusted data source, the risk is mitigated by the structured nature of the OAuth response and the use of the
zodlibrary for schema validation in the MCP server implementation.
Audit Metadata