Back to skill

Security audit

cftunnel

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it can make local services publicly reachable and change Cloudflare DNS/tunnel state without enough safety guidance.

Review before installing. Only use it for services you intentionally want public, confirm the exact hostname and localhost port, avoid exposing admin panels, databases, SSH, or debug apps, use scoped Cloudflare API tokens when possible, and do not enable persistent service mode unless you explicitly want a tunnel to survive reboots.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly guides an agent to expose localhost services on a public HTTPS hostname, but it does not provide any warning or gating about internet exposure, authentication, or the risk of unintentionally publishing internal admin panels, dev servers, databases, or sensitive test environments. In an agent context, this omission is dangerous because a model may follow the 'fastest path' and make a private service publicly reachable without the user understanding the security and privacy consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The authentication section instructs users to export highly sensitive Cloudflare credentials, including an API key, email, token, and account ID, but gives no guidance on least privilege, secret storage, shell history risks, or avoiding disclosure in logs and transcripts. In an agent-operated environment, this can lead to over-privileged credentials being handled insecurely or echoed into command history, increasing the chance of credential leakage and broader account compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documented `--install-service` option installs cloudflared as a persistent system service, but the surrounding guidance does not prominently warn that this modifies system state, may require elevated privileges, and survives reboots. For an autonomous or semi-autonomous agent, this raises the risk of making a durable system change that keeps an externally reachable tunnel active beyond the user's immediate session.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.