Skills
skills/secondsky/claude-skills/cloudflare-workers-observability/Gen Agent Trust Hub

cloudflare-workers-observability

Warn

Audited by Gen Agent Trust Hub on Apr 4, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONSAFE
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/analyze-logs.sh constructs a command string by interpolating user-provided command-line arguments (such as --worker, --env, and --search) and then executes the resulting string using eval. This pattern is susceptible to command injection if an attacker can influence the arguments passed to the script.
  • Evidence: scripts/analyze-logs.sh lines 145, 169, and 178 utilize eval "$cmd" where $cmd is built in the build_tail_cmd function using unsanitized variables.
  • [DATA_EXFILTRATION]: The skill implements log forwarding and alerting by sending data to external well-known endpoints (Slack, PagerDuty, OpsGenie, Datadog, Splunk). While these are standard services, the skill transmits potentially sensitive log data to these remote servers.
  • Evidence: Multiple files including templates/tail-worker.ts and references/alerting.md contain fetch calls to external logging and alerting providers.
  • [SAFE]: The skill includes comprehensive patterns for redacting sensitive information (e.g., passwords, tokens, secrets) from log entries before they are output or forwarded. This demonstrates an 'assume-sensitive' posture for user data.
  • Evidence: templates/logging-setup.ts defines DEFAULT_REDACT_PATTERNS and a redact method used in the logging pipeline.
  • [PROMPT_INJECTION]: The tail worker components ingest log data and exception messages from external sources (producer workers). If an AI agent is used to process or analyze these logs, malicious content within the logs could potentially influence the agent's behavior. This represents an indirect prompt injection surface.
  • Ingestion points: tail function in templates/tail-worker.ts and references/tail-workers.md.
  • Boundary markers: Absent; data is processed as structured JSON but message content is free-text.
  • Capability inventory: Includes network access via fetch and output via console.log.
  • Sanitization: Includes redaction of known sensitive keys, but does not sanitize the content of log messages against adversarial prompt patterns.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 4, 2026, 07:40 AM