ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cloudflare Manager

v1.1.0

Manage Cloudflare DNS records, Tunnels (cloudflared), and Zero Trust policies. Use for pointing domains, exposing local services via tunnels, and updating in...

0· 1.3k·7 current·7 all-time
byazzar budiyanto@1999azzar
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, required binaries (python3, cloudflared), and required env vars (CLOUDFLARE_API_TOKEN, CLOUDFLARE_ZONE_ID) align with a Cloudflare DNS/tunnel manager. Minor mismatch: the description mentions 'Zero Trust policies' but the CLI implements DNS, zone settings (update_setting), and ingress updates; there is no explicit high-level Zero Trust policy management surface in the code.
Instruction Scope
SKILL.md and cf_manager.py stick to Cloudflare API calls and editing cloudflared config. However, the runtime instructions and script will read/write /etc/cloudflared/config.yml and restart the cloudflared systemd service using sudo. The docs reference references/sudoers.example for least-privilege sudo configuration, but that file is not present in the provided manifest — an inconsistency to resolve. The SKILL.md also uses $WORKSPACE paths which may not exist in all runtimes.
Install Mechanism
Install is local: scripts/install.sh creates a virtualenv and pip-installs 'requests' and 'PyYAML' from requirements.txt. No remote, arbitrary archive downloads or obscure third-party installers are used.
Credentials
Only Cloudflare credentials are required (CLOUDFLARE_API_TOKEN, CLOUDFLARE_ZONE_ID). The script also accepts CF_API_TOKEN / CF_ZONE_ID as fallbacks, which is reasonable. No unrelated credentials or broad secrets are requested.
Persistence & Privilege
The skill is not always-enabled and does not demand persistent platform privileges. It does, however, require sudo to update system config and restart cloudflared for the 'update-ingress' workflow — a legitimate need for this functionality but high-privilege. Ensure sudo is scoped tightly (the SKILL.md suggests this) before allowing these operations.
Assessment
This skill appears to do what it says (manage Cloudflare DNS and cloudflared ingress) and installs only Python dependencies into a local virtualenv, but it will attempt privileged operations on the host: editing /etc/cloudflared/config.yml and restarting the cloudflared systemd service via sudo. Before installing or running: 1) Verify CLOUDFLARE_API_TOKEN is scoped to the minimum necessary permissions and intended zone. 2) Inspect scripts/cf_manager.py yourself and run commands with --dry-run to preview changes. 3) Confirm cloudflared is installed and CONFIG_PATH (/etc/cloudflared/config.yml) is correct for your system. 4) Because the tool uses sudo, create a restricted sudoers rule (the docs reference a sudoers.example, but that file is not included) limiting the allowed commands (e.g., tee /etc/cloudflared/config.yml and systemctl restart cloudflared). 5) Run the install script in a safe environment to create the venv and review packages installed. If you need tighter assurance, request the missing sudoers.example and explicit Zero Trust policy management details from the author.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binspython3, cloudflared
EnvCLOUDFLARE_API_TOKEN, CLOUDFLARE_ZONE_ID
cloudflarevk976atpnka9hvygpmct30mg2eh818683cloudflaredvk976atpnka9hvygpmct30mg2eh818683devopsvk976atpnka9hvygpmct30mg2eh818683dnsvk976atpnka9hvygpmct30mg2eh818683latestvk976atpnka9hvygpmct30mg2eh818683tunnelvk976atpnka9hvygpmct30mg2eh818683
1.3kdownloads
0stars
4versions
Updated 10h ago
v1.1.0
MIT-0
azzar budiyanto@1999azzar
cloudflarecloudflareddevopsdnslatesttunnel
Download

Cloudflare Manager

Standardized system for managing Cloudflare infrastructure and local tunnel ingress.

Prerequisites

  • Binary: python3 and cloudflared must be installed.
  • Credentials: CLOUDFLARE_API_TOKEN (minimal Zone permissions) and CLOUDFLARE_ZONE_ID.

Setup

  1. Define credentials in the environment or a local .env file.
  2. Initialize the local environment: bash scripts/install.sh.

Core Workflows

1. DNS Management

Add, list, or delete DNS records via Cloudflare API.

  • List: python3 $WORKSPACE/skills/cloudflare-manager/scripts/cf_manager.py list-dns
  • Add: python3 $WORKSPACE/skills/cloudflare-manager/scripts/cf_manager.py add-dns --type A --name <subdomain> --content <ip>

2. Tunnel Ingress (Local)

Update /etc/cloudflared/config.yml and restart the tunnel service.

  • Update: python3 $WORKSPACE/skills/cloudflare-manager/scripts/cf_manager.py update-ingress --hostname <host> --service <url>
  • Safety: Use --dry-run to preview configuration changes before application.

Security & Permissions

  • Sudo Usage: The update-ingress command requires sudo to write to system directories and restart the cloudflared service.
  • Least Privilege: Configure restricted sudo access using the pattern in references/sudoers.example.
  • Token Isolation: Ensure API tokens are scoped narrowly to specific zones and permissions.

Reference

Comments

Loading comments...