v1.1.0

cftunnel

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:03 AM.

Analysis

This appears to be a legitimate Cloudflare Tunnel helper, but it can use Cloudflare credentials to publish local services, change DNS/routes, and install a persistent tunnel service.

GuidanceInstall only if you want an agent to manage Cloudflare Tunnels and DNS for you. Use a narrowly scoped Cloudflare API token, limit allowed zones/hostnames/ports, avoid exposing SSH or databases unless truly intended, and require confirmation before delete/replace operations or persistent service installation.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

`npx cftunnel quickstart ... --hostname <hostname> --service http://localhost:<port> --zone-id <zone-id>`; `route set ... Replace ALL routes`; `dns delete <record-id>`

The skill gives an agent commands that can publish local services and mutate or delete Cloudflare routing/DNS configuration, including bulk route replacement, without documenting confirmation or scope limits.

User impactA mistaken or over-broad invocation could make a private local service public, break existing Cloudflare routes, or remove DNS records.

RecommendationRequire explicit user approval for creating, deleting, or replacing routes/DNS records, and restrict use to approved zones, hostnames, tunnel IDs, and local ports.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

install spec

`node | package: cftunnel -g | creates binaries: cftunnel`

The skill depends on installing an external npm package globally; this is expected for a CLI wrapper, but the reviewed artifacts do not include the package code or a pinned package version.

User impactThe installed npm package will be trusted with local execution and Cloudflare credentials.

RecommendationVerify the npm package, publisher, repository, and version before installation, and prefer a pinned version where possible.

Rogue Agents

SeverityMediumConfidenceHighStatusNote

SKILL.md

`npx cftunnel run <tunnel-id> --install-service` | `Install cloudflared as a persistent system service (survives reboots).`

The skill documents a mode that installs a long-running tunnel connector service that persists after the immediate task.

User impactA tunnel could continue running and exposing a service after the agent session ends or after a reboot.

RecommendationUse persistent service mode only after explicit user approval, and document how to stop and remove the service.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

`export CLOUDFLARE_API_KEY=<api-key>`; `export CLOUDFLARE_EMAIL=<account-email>`; `export CLOUDFLARE_ACCOUNT_ID=<account-id>`; `Option B: API Token (scoped, if available)`

The skill requires Cloudflare account credentials and treats a scoped API token as optional, so the default credential path may grant broader account authority than necessary.

User impactIf the agent or installed CLI misuses the credential, it could affect Cloudflare resources beyond the one tunnel or hostname the user intended.

RecommendationUse a least-privilege Cloudflare API token limited to the required account, zone, tunnel, and DNS permissions rather than a broad API key.