Cloudflare API

Connect to Cloudflare API for DNS management, tunnels, and zone administration. Use when user needs to manage domains, DNS records, or create tunnels.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 2 · 2.3k · 13 current installs · 13 all-time installs

byLucas Synnott@lucassynnott

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

high confidence

ℹ

Purpose & Capability

The name/description match the included scripts: they call the Cloudflare API to list zones, manage DNS records, and manage tunnels. Declared required binaries (curl, jq) are appropriate. However, scripts also call openssl (to generate a tunnel secret) and the README references cloudflared for running tunnels; openssl and cloudflared are not declared as required binaries. The capability set itself is consistent with the stated purpose.

!

Instruction Scope

SKILL.md instructs storing an API token in ~/.cloudflare_token or in CLOUDFLARE_API_TOKEN and to run ./scripts/setup.sh; the scripts indeed read ~/.cloudflare_token and the environment variable. The instructions and scripts do not try to read unrelated system files or contact endpoints outside Cloudflare's API, which is good. The concern is the SKILL.md and package metadata disagree on what credentials/config are required (see environment_proportionality).

✓

Install Mechanism

There is no install spec (instruction-only style) and no remote downloads; all code is included in the bundle. That keeps install risk low. No extracted archives or external installers are used. Note: because scripts run commands (openssl, cloudflared), the runtime must have those binaries and the skill will rely on them when executed.

!

Credentials

The scripts require a Cloudflare API token (read from CLOUDFLARE_API_TOKEN or ~/.cloudflare_token) and SKILL.md describes required token scopes (Zone:Read, DNS:Edit, Account:Cloudflare Tunnel:Edit). But the registry metadata lists no required environment variables and no primary credential — a clear mismatch. The requested permissions are appropriate for the task (not excessive), but the metadata omission is misleading and could cause users to accidentally provide a high-privilege token without realizing it.

✓

Persistence & Privilege

The skill does not request always:true and does not attempt to modify other skills or agent-wide configuration. It reads a token file from the user's home and uses it to call Cloudflare APIs — expected behavior for this functionality.

What to consider before installing

What to consider before installing: - This package is a local script-based Cloudflare client. It needs your Cloudflare API token (either in CLOUDFLARE_API_TOKEN or stored at ~/.cloudflare_token). The registry metadata did not declare this — treat that omission as a red flag. - The skill also calls openssl (to generate a secret) and the README mentions running cloudflared; make sure those binaries exist and that you understand what they will execute. The metadata only lists curl and jq, so openssl/cloudflared are undeclared dependencies. - Only provide a token scoped to the minimum permissions needed (Zone:Read, DNS:Edit, Account:Cloudflare Tunnel:Edit) and avoid using an account-level or global API key. Prefer creating a limited API token in the Cloudflare dashboard. - Inspect the scripts locally before running them (they are included in the package). Confirm they only call api.cloudflare.com and do not exfiltrate data elsewhere — in this case the scripts call only Cloudflare endpoints. - Store the token securely (file with chmod 600 or environment variable managed by your secrets tooling). If you have any doubt about the author/source, do not provide credentials and run the scripts in an isolated environment. If the publisher fixes the metadata to declare the token and openssl/cloudflared requirements and you review the scripts yourself, the skill is coherent for its intended purpose. Until then, proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk97f8n1cfx5z4733cn1g120ct97z5sk1

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

☁️ Clawdis

Binscurl, jq

SKILL.md

Cloudflare Skill

Connect to Cloudflare API for DNS management, tunnels, and zone administration.

Setup

1. Get Your API Token

Go to dash.cloudflare.com/profile/api-tokens
Create a token with required permissions:
- Zone:Read - List domains
- DNS:Edit - Manage DNS records
- Account:Cloudflare Tunnel:Edit - Manage tunnels
Copy the token

2. Configure

# Option A: Store in file (recommended)
echo "YOUR_API_TOKEN" > ~/.cloudflare_token
chmod 600 ~/.cloudflare_token

# Option B: Environment variable
export CLOUDFLARE_API_TOKEN="YOUR_API_TOKEN"

3. Test Connection

./scripts/setup.sh

Commands

Zones (Domains)

./scripts/zones/list.sh                    # List all zones
./scripts/zones/list.sh --json             # JSON output
./scripts/zones/get.sh example.com         # Get zone details

DNS Records

# List records
./scripts/dns/list.sh example.com
./scripts/dns/list.sh example.com --type A
./scripts/dns/list.sh example.com --name api

# Create record
./scripts/dns/create.sh example.com \
  --type A \
  --name api \
  --content 1.2.3.4 \
  --proxied

# Create CNAME
./scripts/dns/create.sh example.com \
  --type CNAME \
  --name www \
  --content example.com \
  --proxied

# Update record
./scripts/dns/update.sh example.com \
  --name api \
  --type A \
  --content 5.6.7.8

# Delete record
./scripts/dns/delete.sh example.com --name api --type A

Tunnels

# List tunnels
./scripts/tunnels/list.sh

# Create tunnel
./scripts/tunnels/create.sh my-tunnel

# Configure tunnel ingress
./scripts/tunnels/configure.sh my-tunnel \
  --hostname app.example.com \
  --service http://localhost:3000

# Get run token
./scripts/tunnels/token.sh my-tunnel

# Delete tunnel
./scripts/tunnels/delete.sh my-tunnel

Token Permissions

Feature	Required Permission
List zones	Zone:Read
Manage DNS	DNS:Edit
Manage tunnels	Account:Cloudflare Tunnel:Edit

Create token at: dash.cloudflare.com/profile/api-tokens

Common Workflows

Point subdomain to server

./scripts/dns/create.sh mysite.com --type A --name api --content 1.2.3.4 --proxied

Set up tunnel for local service

# 1. Create tunnel
./scripts/tunnels/create.sh webhook-tunnel

# 2. Configure ingress
./scripts/tunnels/configure.sh webhook-tunnel \
  --hostname hook.mysite.com \
  --service http://localhost:8080

# 3. Add DNS record
TUNNEL_ID=$(./scripts/tunnels/list.sh --name webhook-tunnel --quiet)
./scripts/dns/create.sh mysite.com \
  --type CNAME \
  --name hook \
  --content ${TUNNEL_ID}.cfargotunnel.com \
  --proxied

# 4. Run tunnel
TOKEN=$(./scripts/tunnels/token.sh webhook-tunnel)
cloudflared tunnel run --token $TOKEN

Output Formats

Flag	Description
`--json`	Raw JSON from API
`--table`	Formatted table (default)
`--quiet`	Minimal output (IDs only)

Troubleshooting

Error	Solution
"No API token found"	Run setup or set CLOUDFLARE_API_TOKEN
"401 Unauthorized"	Check token is valid
"403 Forbidden"	Token missing required permission
"Zone not found"	Verify domain is in your account

Files

15 total

Select a file

Select a file to preview.

Comments

Loading comments…