ClawHub

Cloudflare

v1.5.0

Manage Cloudflare domains, DNS records, SSL settings, zone configuration, firewall rules, tunnels, and analytics via the Cloudflare API. Use when the user as...

1· 1.7k·8 current·8 all-time
byShiwei Song@insipidpoint·duplicate of @insipidpoint/cf-zones
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Cloudflare domain/DNS/SSL/tunnel management) lines up with what is requested and provided: the script calls api.cloudflare.com and uses CLOUDFLARE_API_TOKEN (primary credential). Required binaries (curl, jq, openssl) are appropriate for HTTP calls, JSON processing, and generating secrets for tunnels.
Instruction Scope
SKILL.md instructs the agent to use the included scripts/cf.sh for all operations. The script performs only Cloudflare API calls, lists/manipulates DNS, settings, tunnels, analytics, and reads an import file only when the dns-import command is invoked. The SKILL.md documents destructive operations and says to confirm with the user before performing them.
Install Mechanism
No install spec or external downloads; the skill is instruction-only with a bundled script. Nothing is fetched from untrusted URLs and no archives are extracted.
Credentials
Only CLOUDFLARE_API_TOKEN is required (CLOUDFLARE_ACCOUNT_ID is optional for tunnel ops). These credentials are proportionate and directly relevant to Cloudflare management. No unrelated secrets or system config paths are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and contains no installation step that persists beyond its own files. Autonomous invocation is allowed by default but is not combined with other concerning factors here.
Assessment
This skill appears to do what it says, but take these practical precautions before enabling it: 1) Use a least-privilege Cloudflare API token (give only the permissions needed, e.g., Zone:DNS:Edit for DNS tasks); 2) When running dns-import, only supply JSON files you trust (the script will read the file you point to); 3) Be aware curl is called with the Authorization header — the token is sent to api.cloudflare.com (as expected) and may appear briefly in process listings while curl runs; 4) Confirm any destructive actions (dns-delete, cache-purge, tunnel-delete, SSL/setting changes) before execution — the SKILL.md already advises this; 5) If you need tunnels, set CLOUDFLARE_ACCOUNT_ID and consider rotating tunnel secrets as needed. If you want higher assurance, review the included scripts/cf.sh yourself to verify there are no additional network endpoints or logging behaviors beyond api.cloudflare.com.

Like a lobster shell, security has layers — review code before you run it.

latestvk97459c8j10bzrqha8gewrqa1n819nm0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, jq, openssl
EnvCLOUDFLARE_API_TOKEN
Primary envCLOUDFLARE_API_TOKEN

Comments