The Agent Skills Directory

Data Exposure & Exfiltration (SAFE): Network operations in the templates use placeholder URLs (e.g., api.example.com) for demonstration purposes. No hardcoded credentials, API keys, or sensitive file path access were detected.
Unverifiable Dependencies (SAFE): The dependencies identified (wrangler, @cloudflare/workers-types, hono) are standard, well-maintained tools within the Cloudflare Workers ecosystem. No suspicious or unversioned remote script executions were found.
Indirect Prompt Injection (LOW): The templates provide ingestion points for external data via event.payload. While this constitutes a potential attack surface in a deployed application, the skill correctly demonstrates using step.do to isolate these operations and includes basic validation patterns.
Automated Scanner Alert (SAFE): The URLite scanner alert for 'req.url.in' is a false positive. The codebase contains standard patterns like new URL(req.url), where 'req.url' is a property of the Request object, not a malicious domain reference.
Persistence Mechanisms (SAFE): The skill utilizes Cloudflare Workflows' native state persistence (step.sleep, step.do). This is the intended functionality of the framework and does not represent a malicious backdoor or system persistence attempt.

cloudflare-workflows