wrangler
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it instructs the agent to process content from external files without providing sanitization rules or boundary markers.
- Ingestion points: Untrusted data enters the context through files processed by commands such as
wrangler d1 execute --file ./schema.sql,wrangler vectorize insert --file vectors.ndjson, andwrangler secret bulk secrets.json. - Boundary markers: The instructions do not define delimiters or "ignore instructions" warnings for the content of these external files.
- Capability inventory: The
Bashtool allows the agent to execute anywranglercommand, providing the ability to modify cloud infrastructure, execute SQL, and manage secrets based on potentially malicious file content. - Sanitization: No validation or filtering logic is present to inspect or sanitize the content of ingested files before they are passed to the CLI.
- [COMMAND_EXECUTION]: The skill relies on the
Bashtool to perform sensitive administrative actions, including deploying production code (wrangler deploy), deleting resources (wrangler delete), and executing raw SQL commands (wrangler d1 execute). - [EXTERNAL_DOWNLOADS]: Recommends the installation of the
wranglerCLI and project templates from the official NPM registry and Cloudflare repositories, which are recognized as trusted sources. - [DATA_EXFILTRATION]: Provides built-in capabilities to move data from Cloudflare cloud environments to the local environment, such as
wrangler d1 exportfor database contents andwrangler r2 object getfor object storage files.
Audit Metadata