wrangler-tunnel
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (HIGH): Executes local bash scripts that perform file system and process operations. Evidence: Execution of start-wrangler.sh and create-dev-auth.sh via shell command triggers.
- [Dynamic Execution] (HIGH): The skill generates TypeScript wrapper files and executes them. Evidence: create-dev-auth.sh writes worker logic to _dev-entry.ts which is then run by the wrangler CLI. This allows for the execution of code not reviewed during skill installation.
- [Indirect Prompt Injection] (HIGH): Untrusted data from wrangler.toml is interpolated into generated scripts. Ingestion points: wrangler.toml (main entry field). Boundary markers: Absent. Capability inventory: File writing (cat) and process execution (wrangler). Sanitization: Absent; allows for code injection if wrangler.toml is maliciously crafted.
- [Data Exposure & Exfiltration] (MEDIUM): Uses hardcoded credentials for the tunnel's Basic Authentication. Evidence: 'hinata:0014' is plaintext in both the skill's scripts and documentation.
- [Privilege Escalation] (LOW): Uses predictable PID files in /tmp/wrangler-tunnel.pid for process management, which could be exploited in shared environments to interfere with other processes.
Recommendations
- AI detected serious security threats
Audit Metadata