Cloudflare
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Cloudflare integration, but it needs Membrane/Cloudflare authorization and can perform production-affecting Cloudflare changes, so permissions and destructive actions should be handled carefully.
Install this only if you trust Membrane and intend to let an agent manage Cloudflare. Use least-privilege Cloudflare access, verify account and zone targets, require explicit confirmation for destructive actions, and consider pinning the Membrane CLI version.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-broad action could remove DNS records, delete a Cloudflare zone or worker, or disrupt cache behavior for a production site.
The skill exposes actions that can materially affect a Cloudflare account and live infrastructure. This is aligned with a Cloudflare management integration, but the user should notice the impact before allowing such actions.
Popular actions include "Delete Worker", "Delete DNS Record", "Delete Zone", and "Purge All Cache"; running actions uses `membrane action run <actionId> --connectionId=CONNECTION_ID --json`.
Use explicit user approval for create, update, delete, purge, or deployment-related actions, and verify the target account, zone, and record before running them.
The agent may be able to view or act on multiple Cloudflare accounts depending on the permissions granted during login.
The skill relies on delegated Cloudflare/Membrane authentication and may operate across all Cloudflare accounts available to the authenticated user. This is expected, but it is sensitive authority.
“Membrane handles authentication and credentials refresh automatically” and “List Accounts | List all accounts you have access to.”
Authenticate with the least-privileged Cloudflare account or token suitable for the task, and revoke the Membrane/Cloudflare connection when it is no longer needed.
Installing the latest global CLI means behavior may change over time and depends on the npm package supply chain.
The setup uses a global npm install with an unpinned latest version. This is central to the skill's purpose, but it leaves version/provenance review to the user.
`npm install -g @membranehq/cli@latest`
Verify the package publisher and consider installing a pinned, reviewed version of the Membrane CLI in controlled environments.
Cloudflare account data and action requests may be processed through Membrane rather than only directly through Cloudflare.
Cloudflare actions and authentication flow through Membrane as an external integration gateway. This is disclosed and purpose-aligned, but it is an important data boundary.
“This skill uses the Membrane CLI to interact with Cloudflare. Membrane handles authentication and credentials refresh automatically.”
Use this skill only if you trust Membrane for the relevant Cloudflare account data and review Membrane's access, logging, and revocation controls.