Cloudflare R2 CLI

ReviewAudited by ClawScan on May 1, 2026.

Overview

This skill appears to do what it claims—manage Cloudflare R2 objects—but it requires R2 credentials and can upload, download, and delete bucket data.

This appears safe for its stated purpose if you trust the code and configure it carefully. Use a dedicated least-privilege Cloudflare R2 key, avoid broad account permissions, double-check delete/upload commands, and install the defusedxml dependency from a trusted source.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

If the R2 key has broad permissions, the agent could access or modify more bucket data than intended when the CLI is used.

Why it was flagged

The tool uses Cloudflare R2 access credentials and a configured bucket from environment variables. This is necessary for the stated purpose, but these credentials grant cloud storage access.

Skill content

ACCESS_KEY = os.getenv("CF_R2_ACCESS_KEY_ID")
SECRET_KEY = os.getenv("CF_R2_SECRET_ACCESS_KEY")
BUCKET = os.getenv("CF_R2_BUCKET")

Recommendation

Use a dedicated, least-privilege R2 API key limited to the intended bucket and operations, and rotate it if exposed.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

A mistaken or over-permitted use could overwrite/upload sensitive data or delete objects from the configured R2 bucket.

Why it was flagged

The CLI can upload local file contents to R2 and delete R2 objects. These are disclosed and purpose-aligned, but they are high-impact storage operations.

Skill content

status, _ = _request("PUT", key, data)
...
status, _ = _request("DELETE", key)

Recommendation

Review commands before running them, especially delete and upload operations, and consider adding a confirmation step for deletion in agent workflows.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users must obtain the dependency from their Python package source, so normal package provenance and version-control hygiene apply.

Why it was flagged

The skill relies on an external Python dependency installed manually from the package ecosystem. This is expected for secure XML parsing, but there is no install spec or lockfile in the provided artifacts.

Skill content

If `defusedxml` is not already available:

```bash
pip install defusedxml
```

Recommendation

Install defusedxml from a trusted package index and consider pinning an approved version in controlled environments.