The Agent Skills Directory

EXTERNAL_DOWNLOADS (LOW): The skill's utility scripts use npx wrangler without version pinning to execute management tasks. This results in the remote download and execution of a package from the npm registry. Although 'wrangler' is the standard tool for Cloudflare Workers, the use of npx with an unpinned version for an organization not on the strict trusted list (Cloudflare) constitutes a vulnerability. Severity is lowered from MEDIUM as it is central to the skill's primary function.
COMMAND_EXECUTION (LOW): The skill utilizes the Bash tool to execute provided scripts for Cloudflare configuration and management. These scripts are benign wrappers but represent a capability for local system interaction.
PROMPT_INJECTION (LOW): Ingesting log data via tail-worker.sh for troubleshooting creates an indirect prompt injection surface (Category 8). \n 1. Ingestion points: Log stream from wrangler tail and local wrangler.jsonc files. \n 2. Boundary markers: Absent; there are no instructions to the agent to treat this data as untrusted or delimited. \n 3. Capability inventory: Bash, WebFetch, Grep, Glob, and Read tools are available. \n 4. Sanitization: Absent; the agent processes log data directly, which could contain malicious instructions embedded by an attacker-controlled Worker.

cloudflare-vpc-services