ClawHub

Cloudflare Manager

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Cloudflare administration skill, but it grants broad Cloudflare and local sudo-level control without enough scoping or confirmation safeguards.

Install only if you are comfortable giving this skill administrative control over a Cloudflare zone and local cloudflared ingress. Use a dedicated least-privilege Cloudflare token, run --dry-run before applying changes, avoid broad sudo access, and manually review any delete-dns, update-setting, or update-ingress action before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
}

            # Write back using sudo tee via subprocess
            process = subprocess.Popen(['sudo', 'tee', CONFIG_PATH], stdin=subprocess.PIPE, stdout=subprocess.PIPE)
            process.communicate(input=yaml_str.encode())
            
            # Restart cloudflared
Confidence
89% confidence
Finding
process = subprocess.Popen(['sudo', 'tee', CONFIG_PATH], stdin=subprocess.PIPE, stdout=subprocess.PIPE)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
process.communicate(input=yaml_str.encode())
            
            # Restart cloudflared
            subprocess.run(['sudo', 'systemctl', 'restart', 'cloudflared'], check=True)
            return {"status": "success", "message": f"Updated ingress for {hostname} and restarted cloudflared."}
            
        except Exception as e:
Confidence
86% confidence
Finding
subprocess.run(['sudo', 'systemctl', 'restart', 'cloudflared'], check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and enables access to environment variables, shell execution, file reads, and network operations, yet it does not declare permissions explicitly. This weakens security review and policy enforcement because a caller may not realize the skill can access Cloudflare credentials, modify local state, and invoke privileged workflows.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill description understates and misstates behavior: it claims Zero Trust and tunnel management, but the detected behavior includes privileged local file modification, service restarts, and Cloudflare zone settings changes. This mismatch is dangerous because users may invoke the skill expecting routine DNS administration while it actually performs broader local and remote administrative actions.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill description emphasizes DNS, tunnels, and Zero Trust management, but the code exposes a generic zone settings modification primitive. This broader-than-advertised capability is dangerous because it can weaken security posture or alter traffic behavior in ways operators may not expect from the stated skill scope.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill claims Cloudflare-management functionality but also performs privileged local host operations with sudo, including writing config files and restarting services. That mismatch materially increases risk because a caller expecting remote API-only changes may unintentionally grant a path to alter local exposure of internal services.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
DNS deletion is a destructive action that is executed immediately with credential-backed authority and no confirmation, preview, or guardrail. In an agent setting, this increases the chance of accidental or manipulated service disruption.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
update_setting allows credential-backed modifications to arbitrary zone settings without user-facing disclosure or constraints. In this context, that can silently change security-relevant behavior such as TLS, caching, or other protections, making the broad capability more dangerous than ordinary API use.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
- **Safety**: Use `--dry-run` to preview configuration changes before application.

## Security & Permissions
- **Sudo Usage**: The `update-ingress` command requires `sudo` to write to system directories and restart the `cloudflared` service.
- **Least Privilege**: Configure restricted sudo access using the pattern in `references/sudoers.example`.
- **Token Isolation**: Ensure API tokens are scoped narrowly to specific zones and permissions.
Confidence
90% confidence
Finding
Sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
## Security & Permissions
- **Sudo Usage**: The `update-ingress` command requires `sudo` to write to system directories and restart the `cloudflared` service.
- **Least Privilege**: Configure restricted sudo access using the pattern in `references/sudoers.example`.
- **Token Isolation**: Ensure API tokens are scoped narrowly to specific zones and permissions.

## Reference
Confidence
88% confidence
Finding
sudo

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal