deploying-cloudflare-access-for-zero-trust

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes multiple API calls and configuration payloads that expect API tokens, client_secrets, and access-key/secret-access-key values to be inserted verbatim (e.g., JSON fields and a logpush destination URL), which requires the LLM to handle or emit secret values directly.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill installs and runs a remote binary at runtime via curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb which fetches and installs/executed remote code and is a required dependency for the tunnel, so it meets the criteria for a high-risk external runtime dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt includes explicit privileged operations (multiple sudo commands), installation of a systemd service, and modification of system certificate stores and system files, which instruct the agent to change the host's state requiring root—so it should be flagged.