Cloudflare Manager
v1.0.0Manage Cloudflare via API — DNS zones and records, page rules, SSL/TLS settings, caching, firewall rules, Workers, and analytics. Free tier includes DNS, CDN, DDoS protection, and SSL.
⭐ 0· 952·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md and scripts/cloudflare.py implement a Cloudflare API CLI (zones, DNS, firewall, workers, analytics) which is coherent with the skill name/description. However, the registry metadata declares no required credentials or config paths while both the README and the script require an API token stored at ~/.config/cloudflare/token. That omission in metadata is an incoherence.
Instruction Scope
SKILL.md instructs only Cloudflare-related actions and how to store the API token. The script performs HTTP requests only to api.cloudflare.com and operates on Cloudflare resources. There are no instructions to read unrelated system files or transmit data to other endpoints.
Install Mechanism
There is no install spec (instruction-only) and an included Python script that relies only on the standard library. Nothing is downloaded from arbitrary URLs or extracted to disk by an installer. Risk from install mechanism is low.
Credentials
The skill requires a Cloudflare API token (SKILL.md and script expect ~/.config/cloudflare/token) but the registry metadata lists no required env vars or config paths and no primary credential. Requesting a Cloudflare token is proportionate to the stated purpose, but the missing declaration is a metadata/integrity problem that makes it harder to assess privilege scope up front.
Persistence & Privilege
Flags are default (not always), the skill does not request elevated system privileges, and it only suggests creating a token file under the user's home (~/.config/cloudflare). It does not modify other skills or system-wide settings.
What to consider before installing
What to consider before installing:
- Source verification: the skill has no homepage and an unknown source; confirm the author or obtain the script from a trusted location before installing or running it.
- Credential handling: the tool requires a Cloudflare API token stored at ~/.config/cloudflare/token. Do NOT store your global API key; create an API Token with the minimal scopes needed (prefer zone-specific permissions and avoid account-wide rights).
- Least privilege: grant only Zone:DNS/Zone:Edit or other minimal permissions required for your workflow; avoid broad permissions that allow deleting zones or changing nameservers unless explicitly needed.
- File security: set the token file permissions to 600 and ensure only you can read it. Rotate the token after use if you have doubts.
- Review code: we inspected scripts/cloudflare.py — it calls only api.cloudflare.com and follows expected API paths. Still review the full script yourself (or run it in an isolated environment) if you lack trust in the publisher.
- Metadata mismatch: ask the publisher to update the registry metadata to declare the required config path or credential; the current omission is an integrity/usability concern.
- Risk summary: granting a Cloudflare API token lets the tool modify DNS, firewall, and routing — an attacker with that token could redirect traffic, disable protections, or take ownership of services. Use a limited-scope token and test in a non-production zone first.Like a lobster shell, security has layers — review code before you run it.
latest
Cloudflare API Skill
Control Cloudflare infrastructure: DNS management, CDN, security, Workers, and more.
Authentication
API token required. Get one from: https://dash.cloudflare.com/profile/api-tokens
Recommended permissions:
- Zone:Zone:Read
- Zone:Zone:Edit
- Zone:DNS:Read
- Zone:DNS:Edit
Store in ~/.config/cloudflare/token:
mkdir -p ~/.config/cloudflare
echo -n "YOUR_API_TOKEN" > ~/.config/cloudflare/token
chmod 600 ~/.config/cloudflare/token
Quick Reference
Zones (Domains)
# List all zones
python3 scripts/cloudflare.py zones list
# Get zone details
python3 scripts/cloudflare.py zones get <domain>
# Add new zone
python3 scripts/cloudflare.py zones add <domain>
# Delete zone
python3 scripts/cloudflare.py zones delete <domain>
# Check zone status (pending/active)
python3 scripts/cloudflare.py zones status <domain>
# Purge cache
python3 scripts/cloudflare.py zones purge <domain>
python3 scripts/cloudflare.py zones purge <domain> --urls https://example.com/page
DNS Records
# List records for a zone
python3 scripts/cloudflare.py dns list <domain>
# Add record
python3 scripts/cloudflare.py dns add <domain> --type A --name @ --content 1.2.3.4
python3 scripts/cloudflare.py dns add <domain> --type CNAME --name www --content example.com
python3 scripts/cloudflare.py dns add <domain> --type MX --name @ --content mail.example.com --priority 10
python3 scripts/cloudflare.py dns add <domain> --type TXT --name @ --content "v=spf1 include:_spf.google.com ~all"
# Update record
python3 scripts/cloudflare.py dns update <domain> <record_id> --content 5.6.7.8
# Delete record
python3 scripts/cloudflare.py dns delete <domain> <record_id>
# Proxy toggle (orange cloud on/off)
python3 scripts/cloudflare.py dns proxy <domain> <record_id> --on
python3 scripts/cloudflare.py dns proxy <domain> <record_id> --off
SSL/TLS
# Get SSL mode
python3 scripts/cloudflare.py ssl get <domain>
# Set SSL mode (off, flexible, full, strict)
python3 scripts/cloudflare.py ssl set <domain> --mode full
# Always use HTTPS
python3 scripts/cloudflare.py ssl https <domain> --on
Page Rules
# List page rules
python3 scripts/cloudflare.py rules list <domain>
# Add redirect rule
python3 scripts/cloudflare.py rules add <domain> --match "example.com/*" --redirect "https://new.com/$1"
# Delete rule
python3 scripts/cloudflare.py rules delete <domain> <rule_id>
Firewall
# List firewall rules
python3 scripts/cloudflare.py firewall list <domain>
# Block IP
python3 scripts/cloudflare.py firewall block <domain> --ip 1.2.3.4 --note "Spammer"
# Block country
python3 scripts/cloudflare.py firewall block <domain> --country CN --note "Block China"
# Whitelist IP
python3 scripts/cloudflare.py firewall allow <domain> --ip 1.2.3.4
# Challenge (captcha) for IP range
python3 scripts/cloudflare.py firewall challenge <domain> --ip 1.2.3.0/24
Analytics
# Get traffic stats (last 24h)
python3 scripts/cloudflare.py analytics <domain>
# Get stats for date range
python3 scripts/cloudflare.py analytics <domain> --since 2024-01-01 --until 2024-01-31
Workers (Serverless)
# List workers
python3 scripts/cloudflare.py workers list
# Deploy worker
python3 scripts/cloudflare.py workers deploy <name> --script worker.js
# Delete worker
python3 scripts/cloudflare.py workers delete <name>
DNS Record Types
| Type | Purpose | Example |
|---|---|---|
| A | IPv4 address | 192.0.2.1 |
| AAAA | IPv6 address | 2001:db8::1 |
| CNAME | Alias | www → example.com |
| MX | Mail server | mail.example.com (priority 10) |
| TXT | Text/verification | v=spf1 ... |
| NS | Nameserver | ns1.example.com |
| SRV | Service | _sip._tcp.example.com |
| CAA | Certificate authority | letsencrypt.org |
Proxy Status (Orange Cloud)
- Proxied (on): Traffic goes through Cloudflare CDN — caching, DDoS protection, hides origin IP
- DNS only (off): Direct connection to origin — use for mail servers, non-HTTP services
# Enable proxy
python3 scripts/cloudflare.py dns add example.com --type A --name @ --content 1.2.3.4 --proxied
# Disable proxy (DNS only)
python3 scripts/cloudflare.py dns add example.com --type A --name mail --content 1.2.3.4 --no-proxy
SSL Modes
| Mode | Description |
|---|---|
| off | No SSL (not recommended) |
| flexible | HTTPS to Cloudflare, HTTP to origin |
| full | HTTPS end-to-end, any cert on origin |
| strict | HTTPS end-to-end, valid cert on origin |
Common Workflows
Add a New Domain
# 1. Add zone to Cloudflare
python3 scripts/cloudflare.py zones add example.com
# 2. Note the nameservers (e.g., adam.ns.cloudflare.com, bella.ns.cloudflare.com)
# 3. Update nameservers at your registrar
# 4. Add DNS records
python3 scripts/cloudflare.py dns add example.com --type A --name @ --content 1.2.3.4 --proxied
python3 scripts/cloudflare.py dns add example.com --type CNAME --name www --content example.com --proxied
# 5. Set SSL to strict
python3 scripts/cloudflare.py ssl set example.com --mode strict
Migrate DNS from Another Provider
# 1. Add zone (Cloudflare will scan existing records)
python3 scripts/cloudflare.py zones add example.com
# 2. Verify records imported correctly
python3 scripts/cloudflare.py dns list example.com
# 3. Add any missing records
python3 scripts/cloudflare.py dns add example.com --type MX --name @ --content mail.example.com --priority 10
# 4. Update nameservers at registrar
# 5. Wait for propagation, check status
python3 scripts/cloudflare.py zones status example.com
Set Up Email Records
# MX records
python3 scripts/cloudflare.py dns add example.com --type MX --name @ --content mx1.provider.com --priority 10
python3 scripts/cloudflare.py dns add example.com --type MX --name @ --content mx2.provider.com --priority 20
# SPF
python3 scripts/cloudflare.py dns add example.com --type TXT --name @ --content "v=spf1 include:_spf.provider.com ~all"
# DKIM
python3 scripts/cloudflare.py dns add example.com --type TXT --name selector._domainkey --content "v=DKIM1; k=rsa; p=..."
# DMARC
python3 scripts/cloudflare.py dns add example.com --type TXT --name _dmarc --content "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
Direct API Access
TOKEN=$(cat ~/.config/cloudflare/token)
curl -H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
https://api.cloudflare.com/client/v4/zones
API Documentation
- Full API reference: https://developers.cloudflare.com/api/
- API v4 base URL: https://api.cloudflare.com/client/v4/
Free Plan Includes
- DNS hosting (unlimited queries)
- CDN (caching at 300+ edge locations)
- DDoS protection (unmetered)
- SSL/TLS certificates (auto-renewed)
- 3 page rules
- Basic firewall rules
- Analytics
Nameservers
When you add a domain, Cloudflare assigns two nameservers like:
adam.ns.cloudflare.combella.ns.cloudflare.com
Update these at your domain registrar. Zone stays "pending" until nameservers propagate.
Comments
Loading comments...