cloudflare-tunnel-publish

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt mostly uses secure env-input for the Cloudflare API token, but it explicitly allows the agent to "print" the derived run_token into chat (or otherwise deliver it verbatim) when the user must run cloudflared on their laptop, which requires the LLM to output a secret value directly and therefore poses an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly fetches and interprets content from public, user-controlled hostnames (see Phase 8: "curl https://" and "Verify content, not just status code") and from public services (scripts/check_status.py uses doh_lookup against dns.google and http_check against https://), so untrusted third-party web content and DNS/HTTP responses are read and used to decide next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's run_tunnel.sh downloads and then executes a remote binary at runtime from "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-${suffix}" (via curl -o and chmod +x then exec), which is a required dependency and thus fetches and runs remote code.