Security Audit
wrangler
github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrationsTrust Assessment
wrangler received a trust score of 63/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Potential for data exfiltration via arbitrary file upload to R2, SQL Injection vulnerability in D1 database execution, Skill grants broad administrative control over Cloudflare resources.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, dependency_graph, static_code_analysis. The static_code_analysis layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit c7bd8e0f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential for data exfiltration via arbitrary file upload to R2 The skill exposes the `wrangler r2 object put` command, which allows the agent to upload local files to Cloudflare R2 buckets. If an attacker can control the `<local-path>` argument, they could instruct the agent to upload sensitive files from its local environment (e.g., `/etc/passwd`, `.env` files, SSH keys, or other confidential data) to an R2 bucket they control, leading to data exfiltration. Implement strict input validation for the `<local-path>` argument, restricting it to a whitelist of safe directories or disallowing arbitrary file paths. Consider sandboxing the agent's filesystem access or requiring explicit user confirmation for any file upload operations. | Unknown | SKILL.md:40 | |
| HIGH | SQL Injection vulnerability in D1 database execution The skill provides the `wrangler d1 execute` command, which allows executing arbitrary SQL queries against a D1 database. If the `--command` argument is constructed from untrusted user input without proper sanitization, an attacker could inject malicious SQL. This could lead to unauthorized data access, modification, deletion, or even denial of service on the D1 database. Ensure that any SQL commands passed to `wrangler d1 execute` are either hardcoded, strictly validated against a whitelist of allowed operations, or constructed using parameterized queries to prevent SQL injection. Avoid directly embedding untrusted user input into SQL command strings. | Unknown | SKILL.md:49 | |
| MEDIUM | Skill grants broad administrative control over Cloudflare resources The `wrangler` skill exposes a wide array of commands that provide extensive control over Cloudflare Workers, KV, R2, D1, Pages, and Secrets. This includes deploying code, managing data, and configuring secrets. If the agent's credentials are compromised or the agent is tricked into executing malicious commands, an attacker could gain full administrative control over the associated Cloudflare account and its resources, leading to significant data loss, service disruption, or unauthorized access. Implement the principle of least privilege. Only expose the specific `wrangler` subcommands and arguments absolutely necessary for the agent's intended function. Consider using Cloudflare API tokens with highly restricted permissions instead of full account credentials. Implement strict input validation and user confirmation for sensitive operations. | Unknown | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/7f9570129a85b3fb)
Powered by SkillShield