The Agent Skills Directory

[COMMAND_EXECUTION]: The skill mandates the execution of a curl command to http://localhost:8888/notify immediately upon invocation across all files. This represents an unauthenticated network request to a local service with no verification of the target's safety.
[CREDENTIALS_UNSAFE]: The troubleshooting script in Workflows/Troubleshoot.md reads sensitive local files (~/Projects/your-project/.env) to extract the CF_API_TOKEN credential for use in subsequent network requests.
[PROMPT_INJECTION]: The skill uses highly directive and aggressive language ('🚨 MANDATORY', 'REQUIRED BEFORE ANY ACTION', 'NEVER USE FUCKING CURL') designed to force specific agent behaviors and bypass the agent's default tool selection or safety protocols.
[PROMPT_INJECTION]: The skill instructs the agent to load and apply overriding configurations from ~/.claude/skills/PAI/USER/SKILLCUSTOMIZATIONS/Cloudflare/ before executing, which creates a mechanism for local instruction injection.
[PROMPT_INJECTION]: The troubleshooting workflow is vulnerable to indirect prompt injection (Tool Output Poisoning). It ingests untrusted data from Cloudflare deployment logs and instructs the agent to 'Analyze the logs' and 'Apply fixes' to the local codebase. An attacker who can influence build logs could potentially coerce the agent into inserting malicious code during the automated fix phase.
Ingestion points: Fetches logs via Cloudflare API in Workflows/Troubleshoot.md.
Boundary markers: None; the agent is simply told to analyze the raw output.
Capability inventory: The workflow encourages the agent to apply fixes to files, commit changes, and push to repositories.
Sanitization: None; the script and instructions do not filter or escape the log content.
[COMMAND_EXECUTION]: The skill includes a TypeScript automation script in Workflows/Troubleshoot.md intended to be run with the bun runtime, which performs arbitrary filesystem reads and network operations.

Cloudflare