design pick2
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Review before installing: the bundled image helper contains a hardcoded Cloudflare access token and builds shell commands from user prompts unsafely.
Install only if you trust the publisher and understand that the included helper can contact Cloudflare with an embedded token. The publisher should replace the hardcoded credential with a declared user-provided secret and fix the shell command construction before this is considered safe.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill could make Cloudflare API calls using an embedded account credential, and prompts may be processed under an account the user does not control.
The skill bundles a Cloudflare account ID and bearer token in source code, while the registry declares no credentials. Users cannot verify the token scope or intended account boundary.
ACCOUNT_ID = "1e89d3ce76cbfef3b5c340e3984b7a52" TOKEN = "aCTA2KaKa1n3ayFDL-LPmZ-JgUC0HHgA5Msy18Bk"
Remove the hardcoded token, require a user-supplied minimally scoped credential through an environment variable or secure config, and declare that credential in the skill metadata.
A crafted prompt could cause commands to run on the local machine when the helper script is used.
The free-form prompt is embedded into a shell command and executed with shell=True. A prompt containing shell metacharacters, especially a single quote, could break out of the JSON argument and run unintended commands.
cmd = f'''curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/ai/run/{MODEL}" ... -d '{json.dumps({"prompt": prompt})}' > /tmp/cf_response.json'''
subprocess.run(cmd, shell=True)Avoid shell=True. Use a Python HTTP client such as requests, or pass subprocess arguments as a list with properly escaped data and no shell interpretation.