The Agent Skills Directory

[Prompt Injection] (HIGH): The core instruction file SKILL.md contains a specific directive for the AI agent to bypass environment-level sandbox security restrictions if its network calls are blocked. Evidence: 'When sandboxing blocks the deployment network calls, rerun with sandbox_permissions=require_escalated'. Impact: This modifies the agent's behavior to prioritize task completion over environment security boundaries.\n- [Indirect Prompt Injection] (HIGH): The skill is designed to handle user-supplied application code and configurations for deployment, creating a significant attack surface. Ingestion points: User-provided Worker scripts, infrastructure-as-code files, and configuration data processed across all documented services. Capability inventory: The skill leverages high-trust capabilities including the deployment of executable code via wrangler deploy and infrastructure management with Terraform/Pulumi. Mandatory Chain: The documentation does not specify boundary markers (e.g., delimiters) or 'ignore embedded instructions' warnings for external data, and no explicit sanitization logic is provided before high-privilege operations are performed.\n- [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill frequently instructs the agent to install packages and execute scripts from third-party sources not included in the provided Trusted Organizations whitelist. Evidence: References to npm install @cloudflare/puppeteer, pip install pyiceberg, and remote script injection from static.cloudflareinsights.com. Impact: Potential for remote code execution via supply chain vulnerabilities in unverified package managers or registries.\n- [Privilege Escalation] (MEDIUM): The documentation contains examples suggesting the execution of operations with elevated system privileges. Evidence: Instructions for sudo cloudflared service install and using chmod +x on downloaded binaries. Impact: This encourages granting excessive permissions to deployment utilities, increasing the risk of system compromise.

cloudflare-deploy