deploying-cloudflare-access-for-zero-trust

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes multiple curl examples and configuration snippets that embed API tokens, client_secrets, and access keys directly in headers, JSON bodies, and URL query strings (even if shown as placeholders), which instructs or encourages including secret values verbatim rather than using secure env-vars or credential stores.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes a runtime installation command that fetches and installs a remote binary (cloudflared) via curl from https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb which executes remote code and is required for the tunnel functionality, so it meets the flagging criteria.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt includes explicit privileged operations (multiple sudo commands), installation of a systemd service, and modification of system certificate stores and system files, which instruct the agent to change the host's state requiring root—so it should be flagged.