Security Audit
wrangler
github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrationsTrust Assessment
wrangler received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Arbitrary SQL Command Injection via `wrangler d1 execute`, Local File Exfiltration via `wrangler r2 object put --file`, Credential Manipulation via `wrangler secret put`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 6a655802). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary SQL Command Injection via `wrangler d1 execute` The `wrangler d1 execute` command allows executing arbitrary SQL queries against a D1 database. If an attacker can control the `--command` argument, they can inject malicious SQL to read, modify, or delete sensitive data, or perform other unauthorized database operations, leading to data compromise or service disruption. Implement strict input validation and sanitization for any user-provided input used in the `--command` argument. Prefer parameterized queries or a limited set of predefined, safe SQL operations over arbitrary command execution. Restrict the agent's ability to construct arbitrary SQL commands. | LLM | SKILL.md:75 | |
| HIGH | Local File Exfiltration via `wrangler r2 object put --file` The `wrangler r2 object put` command, when used with the `--file` argument, allows uploading any local file from the agent's execution environment to an R2 bucket. An attacker could instruct the agent to upload sensitive files (e.g., configuration files, environment variables, credentials, or other local data) to an R2 bucket under their control, leading to data exfiltration. Restrict the agent's ability to specify arbitrary local file paths for upload. If file uploads are necessary, implement a whitelist of allowed directories or file types, and ensure the agent cannot access sensitive system paths. Monitor and audit R2 upload activities for unusual patterns. | LLM | SKILL.md:63 | |
| HIGH | Credential Manipulation via `wrangler secret put` The `wrangler secret put` command allows an agent to set or overwrite secrets within the Cloudflare environment. If an attacker can control the `<SECRET_NAME>` and the `secret-value` provided to this command, they could inject malicious credentials, overwrite legitimate secrets, or create new backdoors, potentially leading to unauthorized access or privilege escalation within Cloudflare services. Implement strict validation and access controls for setting secrets. Restrict the agent's ability to create or modify secrets, especially those with high privileges. Require explicit human approval for secret modifications. Monitor secret changes for suspicious activity. | LLM | SKILL.md:99 | |
| MEDIUM | Broad Cloudflare Resource Management Capabilities The `wrangler` skill provides an AI agent with extensive control over a wide range of Cloudflare services, including Workers, KV, R2, D1, Pages, and Secrets. This broad access allows for deployment, modification, deletion, and data manipulation across critical cloud infrastructure. While inherent to the tool's purpose, granting such wide-ranging capabilities to an AI agent significantly increases the blast radius in case of compromise or misuse. Implement the principle of least privilege. Carefully evaluate which specific `wrangler` commands and sub-commands are absolutely necessary for the agent's intended function. Consider creating fine-grained API tokens with minimal permissions for the agent, rather than using a full-access token. Implement robust monitoring and alerting for all actions performed by the agent using this skill. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/7f9570129a85b3fb)
Powered by SkillShield