ClawHub

Cloudflare Deploy

Security checks across malware telemetry and agentic risk

Overview

This is not malware, but it gives an agent broad Cloudflare deployment and infrastructure guidance with several high-impact examples that lack strong guardrails.

Install only if you are comfortable with an agent helping manage Cloudflare infrastructure. Use scoped Cloudflare API tokens, prefer staging resources, review every DNS, email, billing, sandbox, and production-binding change before execution, and avoid copying examples that run arbitrary code or expose services without adding authentication, allowlists, and rollback steps.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (79)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This reference materially expands the skill from Cloudflare deployment/hosting into a general-purpose sandbox and container execution capability. In an agent skill, mismatched reference material can steer the agent toward unsafe actions outside its declared scope, including handling untrusted code execution that carries materially different risks than deployment workflows.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The example introduces arbitrary command execution inside a container (`sandbox.exec(...)`) in a skill intended for deployment to Cloudflare. Giving an agent documentation for code execution, process spawning, filesystem access, and service exposure creates a direct path to misuse, escalation of capability, and unsafe handling of untrusted user input.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This documentation normalizes a wide set of high-risk sandbox capabilities—arbitrary code execution, IDE hosting, CI execution, WebSocket proxying, persistent storage writes, and multi-tenant execution—that are materially broader than a Cloudflare deployment skill's stated purpose. Even as examples, including these patterns in-scope for the skill can encourage unsafe implementation drift, privilege expansion, and misuse of deployment workflows into general remote compute.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The interactive dev environment example exposes a remotely accessible code-server instance and installs software by piping a network-fetched script to the shell. For a deployment-focused skill, this introduces an unnecessary remote execution surface that could be abused for persistence, arbitrary code execution, data access, or lateral use of bound credentials.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The arbitrary code execution example accepts user-supplied code and runs it in a sandbox with persistent variables and rich output handling. In a Cloudflare deployment skill, this is unjustified and dangerous because it expands the role from deployment automation to a general code-execution service, increasing risk of abuse, secret exposure, and unsafe output rendering.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The CI/CD example clones an arbitrary repository and branch from user input, runs dependency installation, and executes tests. That capability is broader than deployment and effectively permits user-directed network retrieval and command execution, which can be abused to run untrusted build scripts or exfiltrate data available in the environment.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The multi-tenant example executes user-provided code per user session and constructs execution context from a user-controlled identifier. In the context of a deployment skill, this is unrelated and dangerous because it creates a general multi-tenant remote execution platform with risks of cross-tenant confusion, injection, and misuse of shared infrastructure.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The API auth header injection snippet hardcodes a secret token and rewrites authentication headers in transit. This encourages insecure secret handling, can break upstream auth assumptions, and may enable unauthorized internal API access if copied into production.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The example implements a generic network-testing gateway that accepts user-supplied host and port values and opens raw socket connections to arbitrary destinations. In a Cloudflare Workers context, this can enable SSRF-style probing, internal service discovery, and unintended access to private or sensitive network endpoints, especially because the example lacks any allowlist or destination validation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation explicitly demonstrates persisting full email body contents to SQL, which can cause unnecessary retention of sensitive or regulated data. Developers may copy this pattern directly, leading to over-collection, long-term storage of secrets or personal data, and larger blast radius if the database is later accessed or breached.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The email-processing example persists full email bodies and then broadcasts AI-generated summaries to connected clients, which can expose sensitive or regulated content without any access control, minimization, or consent safeguards shown. In a patterns/reference file, readers may copy this design directly, making accidental privacy leakage and over-collection more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example shows telemetry code storing a user-supplied API key identifier in analytics data without any warning or minimization guidance. Even in documentation, this creates a strong copy-paste pattern that can lead developers to retain sensitive credentials in observability systems, expanding exposure and violating least-collection principles.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples show writing potentially sensitive identifiers such as apiKey, customerId, and userId into Analytics Engine indexes, and also include error messages that may contain user or system data. In a deployment-focused skill, users may copy these patterns directly into production, creating privacy, compliance, and data minimization issues if identifiers are stored without warning, masking, or retention guidance.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file includes create, update, and delete examples for zones and DNS records without any cautionary guidance, confirmation requirements, or notes about service disruption. In a deployment-oriented skill, these snippets could be copied directly into automation and lead to accidental outages, domain misconfiguration, or irreversible deletion of production resources.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The GitHub Actions example performs `terraform apply -auto-approve`, which removes a human confirmation step before making live infrastructure changes. In a deployment skill for Cloudflare infrastructure, this increases the chance of unintended, costly, or service-impacting configuration changes being applied automatically from a repository push.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples directly enable Argo Smart Routing and Tiered Cache on a live zone, which changes production traffic behavior and can create billable usage, yet the document provides no explicit warning, confirmation requirement, or rollback guidance. In a deployment-focused skill, users may copy or automate these snippets as-is, increasing the chance of unintended configuration changes and surprise charges.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Spectrum example shows how to publish TCP services such as databases and SSH through Cloudflare without warning about the exposure and operational consequences of changing app configuration. This is especially risky in a Cloudflare deployment skill because users may expose sensitive non-HTTP services to the internet or alter routing for production services without understanding access-control, authentication, and billing implications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation recommends `npx wrangler dev --remote` and explicitly notes that it uses production bindings, but it does not warn that development activity may read from, mutate, or otherwise affect live resources. In a deployment-focused skill, users are likely to copy commands verbatim, so this omission can lead to accidental modification of production KV, D1, R2, queues, or other bound services during testing.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation guidance is extremely broad, covering nearly any request involving screenshots, PDFs, scraping, testing, or browser automation. In an agent setting, this can cause the skill to trigger for loosely related requests and expand the agent's operational scope into higher-risk activities such as automated web interaction or scraping without sufficiently clear boundaries or consent checks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples forward entire inbound emails to another address without any warning that message bodies, headers, and attachments may be transmitted to an external recipient. In deployment-oriented documentation, this omission can cause users to enable behavior that exfiltrates live email content from their domain without fully understanding the privacy and compliance implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions show how to enable Email Routing and attach a worker, but they do not warn that this change affects live domain mail flow. Users may apply the setting in production and unintentionally route real customer or employee email through custom worker logic, creating privacy, confidentiality, and misconfiguration risks.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The webhook example sends sender and subject metadata to an external endpoint without any warning, consent discussion, minimization guidance, or validation of where the data goes. In an email-processing context, even metadata can be sensitive, and this pattern can lead users to exfiltrate personal or confidential information to third parties unintentionally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The archive and attachment examples persist email fields and attachment content to KV/R2 without warning about retention, sensitivity, access controls, or compliance implications. This is dangerous because users may copy the pattern and end up storing confidential messages, PII, or malware-laden attachments indefinitely or inappropriately.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation recommends `npx wrangler dev --remote` and only briefly notes that it 'affects production'. In a deployment skill, users may copy commands verbatim; insufficient warning can lead to unintended interaction with live resources, data modification, or service disruption during testing.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation includes use of a legacy global API key without a clear warning that it is a highly sensitive credential and less preferable than scoped API tokens. Readers may copy this pattern into scripts or logs, increasing the chance of credential leakage or over-privileged authentication being used in production.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal