cloudflare-d1
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The script
assets/d1-setup-migration.shcontains a shell command injection vulnerability. TheDATABASE_NAMEvariable is directly interpolated into multiplenpx wranglercommands without validation or sanitization. A malicious input containing shell control characters (e.g.,my-db; touch /tmp/exploited) would result in arbitrary code execution in the user's terminal context. - [EXTERNAL_DOWNLOADS] (LOW): The skill uses
npx wranglerto dynamically download and execute the Cloudflare CLI. While this is a standard developer workflow, it introduces a dependency on the npm registry and the integrity of thewranglerpackage. The skill is sourced from a non-trusted repository (github.com/jezweb/claude-skills), which increases the risk of supply chain manipulation. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill acts as an ingestion point for external SQL files (
migrations/*.sql) and user-provided configuration. If these sources are attacker-controlled, they could influence the agent's behavior during database setup. - Ingestion points: SQL migration files and terminal input.
- Boundary markers: None present; the script lacks delimiters or warnings to ignore instructions inside processed files.
- Capability inventory: File system write access (
mkdir,cat), network access viawrangler, and database execution privileges. - Sanitization: Absent; the script executes shell commands and processes files based on filename patterns without validation.
Audit Metadata