SPF DKIM Setup

Manage DNS records via the Cloudflare API. Create, list, update, and delete DNS records (A, AAAA, CNAME, TXT, MX, SPF, DKIM). Use when the agent needs to add...

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 295 · 0 current installs · 0 all-time installs

byMasas Dani@masasdani

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

high confidence

ℹ

Purpose & Capability

The SKILL.md describes Cloudflare DNS management (create/list/update/delete records) which matches the skill name and description — that capability is coherent. However, the skill's runtime instructions require CLOUDFLARE_API_TOKEN and CLOUDFLARE_ZONE_ID, but the registry metadata lists no required environment variables or primary credential. That mismatch is unexpected and should be corrected.

ℹ

Instruction Scope

Instructions are narrowly scoped to Cloudflare DNS API calls and email-auth record handling (SPF/DKIM/DMARC) and do not request unrelated system files or credentials. They reference a Mailtarget integration workflow which could require additional credentials (not declared). Examples use curl and jq but the metadata does not declare required binaries; relying on tools not declared may lead to runtime surprises.

✓

Install Mechanism

This is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written to disk by the skill itself. That reduces installer risk.

Credentials

The SKILL.md explicitly requires CLOUDFLARE_API_TOKEN (DNS Write) and CLOUDFLARE_ZONE_ID but the registry metadata lists zero required env vars/credentials. Requesting a token with DNS Write permission is proportional to the stated function, but the omission from metadata is a serious coherence/visibility issue. Additionally, the documented Mailtarget integration implies other credentials may be needed but none are declared.

✓

Persistence & Privilege

The skill is not always-included and does not request elevated persistence. It is user-invocable and allows standard autonomous invocation (platform default). There is no instruction to modify other skills or system-wide settings.

What to consider before installing

Before installing, verify and fix the metadata mismatch: the SKILL.md requires CLOUDFLARE_API_TOKEN (with DNS Write scope) and CLOUDFLARE_ZONE_ID but the registry lists no required env vars. Only provide a Cloudflare token scoped to the specific zone and minimum permissions (prefer zone-scoped or limited API token rather than global account keys). Be aware examples use curl and jq — ensure those tools exist or adapt commands. If you plan to enable autonomous use, consider restricting the token to a non-production/test zone first to confirm behavior. Ask the publisher to (1) update the registry metadata to declare the required env vars/primary credential, (2) document exactly what Mailtarget credentials (if any) are needed for the Mailtarget integration, and (3) explain why jq/curl are assumed available. If the publisher cannot justify or correct these discrepancies, do not install or provide sensitive credentials.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk977zyyd7hc8ker03km5hj01jx81pbqe

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Cloudflare DNS

Manage DNS records on Cloudflare-hosted domains via the Cloudflare API.

Setup

Set these environment variables:

CLOUDFLARE_API_TOKEN — API token with DNS Write permission (create one)
CLOUDFLARE_ZONE_ID — Zone ID of the domain (found on the domain overview page in Cloudflare dashboard)

API Basics

Base URL: https://api.cloudflare.com/client/v4

Auth header: Authorization: Bearer $CLOUDFLARE_API_TOKEN

All responses follow: {"success": true, "result": {...}, "errors": [], "messages": []}

Common Operations

List DNS records

curl -s "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq '.result[] | {id, type, name, content}'

Filter by type or name:

# TXT records only
curl -s "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records?type=TXT" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

# By name
curl -s "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records?name=example.com" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

Create a DNS record

curl -X POST "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "TXT",
    "name": "example.com",
    "content": "v=spf1 include:_spf.mailtarget.co ~all",
    "ttl": 3600
  }'

Update a DNS record

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records/$RECORD_ID" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"content": "new-value"}'

Delete a DNS record

curl -X DELETE "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records/$RECORD_ID" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

Email Authentication Setup

SPF record (TXT)

{"type": "TXT", "name": "example.com", "content": "v=spf1 include:_spf.mailtarget.co ~all", "ttl": 3600}

If an SPF record already exists, merge the include: directive into the existing value.

DKIM record (TXT)

Use the hostname and value from your email provider:

{"type": "TXT", "name": "selector._domainkey.example.com", "content": "v=DKIM1; k=rsa; p=MIGf...", "ttl": 3600}

DMARC record (TXT)

{"type": "TXT", "name": "_dmarc.example.com", "content": "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com", "ttl": 3600}

CNAME record (for tracking domains)

{"type": "CNAME", "name": "track.example.com", "content": "tracking.mailtarget.co", "ttl": 3600, "proxied": false}

Important: Set proxied: false for email-related CNAME records (DKIM, tracking) — Cloudflare proxy breaks email authentication.

Mailtarget Integration Workflow

When used together with mailtarget-email, the agent can do end-to-end domain setup:

Create sending domain in Mailtarget → POST /domain/sending
Read required DNS records → GET /domain/sending/{id} returns SPF, DKIM, CNAME values
Add DNS records in Cloudflare using this skill
Verify domain in Mailtarget → PUT /domain/sending/{id}/verify-txt
Confirm all records are verified

Zero manual DNS editing required.

Reference

See references/api.md for full endpoint documentation.

Files

2 total

Select a file

Select a file to preview.

Comments

Loading comments…