cloudflare-tunnel

Warn

Audited by Gen Agent Trust Hub on Jul 9, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill extensively uses shell commands through the Bash tool to create tunnels, route DNS, and manage system services using launchctl.
  • [PERSISTENCE_MECHANISMS]: The skill provides detailed instructions to install the cloudflared process as a persistent background service using a macOS Launch Agent (~/Library/LaunchAgents/com.cloudflare.cloudflared.plist), which ensures the process starts automatically at login.
  • [PROMPT_INJECTION]: The skill uses placeholders such as <username>, <app>, and <your-domain> within shell command templates. This presents a surface for indirect prompt injection if an attacker-controlled string is used to fill these variables without proper escaping.
  • Ingestion points: Template variables in SKILL.md meant for agent interpolation.
  • Boundary markers: None present to isolate variables from the executable command structure.
  • Capability inventory: Bash (subprocess execution) and Write/Edit (file system modification).
  • Sanitization: No sanitization or validation logic is defined for the interpolated values.
  • [DATA_EXFILTRATION]: The skill accesses and manages sensitive authentication files in the ~/.cloudflared/ directory, including cert.pem and tunnel credentials stored in JSON format, which are required for the tunnel to function.
  • [EXTERNAL_DOWNLOADS]: Recommends the installation of the cloudflared binary using Homebrew (brew install cloudflared), a standard installation method for the official Cloudflare utility.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 9, 2026, 08:56 PM
Security Audit — agent-trust-hub — cloudflare-tunnel