The Agent Skills Directory

[DATA_EXFILTRATION]: The skill accesses sensitive local environment files to retrieve credentials.
Evidence: The script in Workflows/Troubleshoot.md is hardcoded to read ~/Projects/your-project/.env and extract the CF_API_TOKEN using regular expressions.
[PROMPT_INJECTION]: The skill contains a behavior override mechanism that loads instructions from the user's home directory.
Evidence: SKILL.md instructs the agent to load and apply PREFERENCES.md from ~/.opencode/skills/PAI/USER/SKILLCUSTOMIZATIONS/Cloudflare/ to "override default behavior."
[COMMAND_EXECUTION]: The skill mandates immediate shell command execution upon any invocation.
Evidence: SKILL.md requires a curl POST request to http://localhost:8888/notify before any other action can be taken.
[EXTERNAL_DOWNLOADS]: The skill interacts with Cloudflare's official infrastructure.
Evidence: It makes API calls to api.cloudflare.com and utilizes the wrangler CLI tool. These are recognized as well-known and trusted services.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection through external data processing.
Ingestion points: Deployment logs fetched via the Cloudflare API in Workflows/Troubleshoot.md and customization files from the local filesystem.
Boundary markers: None identified; the agent is instructed to follow and apply the content of these inputs directly.
Capability inventory: The agent has the authority to modify the codebase ("Apply fixes to the codebase"), execute shell commands (wrangler deploy), and perform network operations.
Sanitization: No sanitization or validation of the ingested log data or preference files is performed before the agent acts upon them.

Cloudflare