ClawHub

Wrangler

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Cloudflare Wrangler command-reference skill, but users should be careful with production deletes, secrets, and database commands.

Install only if you want an agent to help with Cloudflare Wrangler operations. Before running commands, verify the Cloudflare account, environment, resource names, and production impact. Treat delete, rollback, bulk, migration, SQL, and secret commands as sensitive; back up data first and avoid putting plaintext secrets in shell history, logs, or committed files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill documents destructive Wrangler operations such as rollback and worker deletion without any warning, confirmation guidance, or notes about production impact. In an agent-executed context, this increases the chance of accidental service disruption or irreversible changes if the commands are surfaced or run without adequate user confirmation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The secrets section includes commands that accept secret values from stdin and bulk JSON files but omits warnings about exposing credentials through shell history, local files, logs, or insecure handling of plaintext secrets. Because this skill is intended for operational use with real credentials, the missing guidance materially raises the risk of credential leakage.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill describes database and object-storage deletion commands without warning about permanent data loss, backup requirements, or environment verification. In the context of D1 and R2 administration, these commands can destroy production data, making the omission especially dangerous for agents or users following the guide verbatim.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal