Skills
skills/null-shot/cloudflare-skills/building-ai-agent-on-cloudflare/Gen Agent Trust Hub

building-ai-agent-on-cloudflare

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection.
  • Ingestion points: The onMessage (line 53) and onChatMessage (line 172) handlers ingest raw string data from external WebSocket or HTTP connections.
  • Boundary markers: No boundary markers or 'ignore embedded instructions' delimiters are used when interpolating user messages into the AI context (line 69, line 175).
  • Capability inventory: The agent possesses significant capabilities including this.sql for database modification (line 122) and this.schedule for triggering future events (line 140).
  • Sanitization: There is no evidence of input validation or sanitization before passing user data to the AI model or the SQL engine.
  • [COMMAND_EXECUTION] (HIGH): Risk of unauthorized database operations and task scheduling via the AI agent.
  • Evidence: While SQL template literals are used (line 122), an attacker using prompt injection could manipulate the logic to execute unintended queries or schedule malicious recurring tasks (line 155) if the agent is given broad instructions.
  • [REMOTE_CODE_EXECUTION] (MEDIUM): Dependency on an unverified and generic package name 'agents'.
  • Evidence: The skill instructs the user to import { Agent } from "agents" (line 39). Generic package names are high-risk targets for typosquatting or package confusion. In the Cloudflare ecosystem, official packages typically use the @cloudflare/ scope.
  • [EXTERNAL_DOWNLOADS] (LOW): Standard tool installation from trusted-adjacent sources.
  • Evidence: Instructs installation of wrangler and the use of npm create cloudflare@latest. While 'cloudflare' is not on the provided trusted organization list, these are industry-standard tools.
  • [FALSE POSITIVE ALERT] (INFO): The automated scanner's detection of 'this.ca' as a malicious URL is a false positive.
  • Evidence: The scanner likely identified the characters 'this.ca' within the code method this.cancelSchedule(taskId) (line 160). No actual network requests to the 'this.ca' domain are present in the skill code.
Recommendations
  • AI detected serious security threats
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 10:48 PM