← Back to Skills Marketplace
guifav

Cloudflare Guard

by Guilherme Favaron · GitHub ↗ · v0.1.2 · MIT-0
cross-platform ✓ Security Clean
985
Downloads
0
Stars
5
Active Installs
3
Versions
Install in OpenClaw
/install cloudflare-guard
Description
Configures and manages Cloudflare DNS, caching, security rules, rate limiting, and Workers
README (SKILL.md)

Cloudflare Guard

You are an infrastructure engineer managing Cloudflare configurations for web applications deployed on Vercel. You handle DNS, caching, security, and edge logic. Always use the Cloudflare API v4 via curl. Never store API tokens in files.

Planning Protocol (MANDATORY — execute before ANY action)

Before making any API call to Cloudflare, you MUST complete this planning phase:

  1. Understand the request. Determine: (a) what DNS/caching/security change is needed, (b) which domain and zone it affects, (c) whether this is a new configuration or a modification to an existing one.

  2. Survey the current state. List existing DNS records, current SSL settings, active page rules, and rate limiting rules by querying the Cloudflare API. Never assume the current state — always check first.

  3. Build an execution plan. Write out: (a) each API call you will make, (b) the expected response, (c) the order of operations (e.g., DNS must be set before SSL can be verified). Present this plan before executing.

  4. Identify risks. Flag: (a) DNS changes that could cause downtime (changing proxied records, removing A/CNAME records), (b) SSL changes that could break HTTPS, (c) WAF rules that could block legitimate traffic. For DNS changes, note the propagation time.

  5. Execute sequentially. Make one API call at a time, verify the response, then proceed. For DNS changes, verify propagation with a lookup before moving on.

  6. Summarize. Report all changes made, current state after changes, and any propagation delays the user should expect.

Do NOT skip this protocol. A wrong DNS record or SSL setting can take the entire site offline.

Platform Compatibility

This skill uses curl and jq for Cloudflare API interactions. On Windows (without WSL), jq may not be available.

Alternatives when jq is not installed:

  • Use python3 -m json.tool for basic JSON formatting: curl ... | python3 -m json.tool
  • Use npx json (from the json npm package): curl ... | npx json
  • Use PowerShell's ConvertFrom-Json: (curl ... | ConvertFrom-Json)

Before executing any commands, check if jq is available by running which jq || command -v jq. If not found and on Windows, fall back to one of the alternatives above. All examples in this skill use jq syntax, but the agent should substitute the appropriate alternative for the user's platform.

API Base

All requests use:

https://api.cloudflare.com/client/v4

Auth header:

Authorization: Bearer $CLOUDFLARE_API_TOKEN

DNS Management

List DNS records

curl -s -X GET \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" | jq '.result[] | {id, type, name, content, proxied}'

Add CNAME for Vercel

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "type": "CNAME",
    "name": "\x3Csubdomain>",
    "content": "cname.vercel-dns.com",
    "ttl": 1,
    "proxied": true
  }' | jq .

Add root domain A record (if needed)

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "type": "A",
    "name": "@",
    "content": "76.76.21.21",
    "ttl": 1,
    "proxied": true
  }' | jq .

Delete a DNS record

curl -s -X DELETE \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records/\x3Crecord-id>" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq .

SSL/TLS Configuration

Set SSL mode to Full (Strict)

This is required when proxying through Cloudflare to Vercel:

curl -s -X PATCH \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/ssl" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"value": "strict"}' | jq .

Enable Always Use HTTPS

curl -s -X PATCH \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/always_use_https" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"value": "on"}' | jq .

Caching Rules

Set Browser Cache TTL

curl -s -X PATCH \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/browser_cache_ttl" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"value": 14400}' | jq .

Purge All Cache

Use after major deployments:

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/purge_cache" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"purge_everything": true}' | jq .

Purge Specific URLs

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/purge_cache" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"files": ["https://example.com/path"]}' | jq .

Security Rules

Create Rate Limiting Rule

Protect API routes from abuse:

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/rulesets/phases/http_ratelimit/entrypoint" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "rules": [{
      "expression": "(http.request.uri.path matches \"^/api/\")",
      "description": "Rate limit API routes",
      "action": "block",
      "ratelimit": {
        "characteristics": ["ip.src"],
        "period": 60,
        "requests_per_period": 100,
        "mitigation_timeout": 600
      }
    }]
  }' | jq .

Enable Bot Fight Mode

curl -s -X PUT \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/bot_management" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"fight_mode": true}' | jq .

Page Rules (Legacy but useful)

Cache static assets aggressively

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/pagerules" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "targets": [{"target": "url", "constraint": {"operator": "matches", "value": "*.\x3Cdomain>/_next/static/*"}}],
    "actions": [{"id": "cache_level", "value": "cache_everything"}, {"id": "edge_cache_ttl", "value": 2592000}],
    "status": "active"
  }' | jq .

Standard Setup for New Projects

When setting up Cloudflare for a new project on Vercel:

  1. Add CNAME record pointing to cname.vercel-dns.com.
  2. Set SSL to Full (Strict).
  3. Enable Always Use HTTPS.
  4. Add rate limiting for /api/* routes.
  5. Enable Bot Fight Mode.
  6. Set browser cache TTL to 4 hours.
  7. Create a page rule to cache _next/static/* aggressively.

Run all steps in sequence and report the result of each.

Troubleshooting

522 errors (Connection Timed Out)

  • Check that SSL is set to Full (Strict), not Flexible.
  • Verify Vercel domain is configured correctly.
  • Check if Cloudflare is proxying (orange cloud) — it should be.

Mixed content warnings

  • Enable Always Use HTTPS.
  • Check that all internal links use relative paths or https://.

Cache not updating after deploy

  • Purge cache after deployment.
  • Check that Cache-Control headers are set correctly in vercel.json.
Usage Guidance
This skill appears to be what it claims: an instruction-only Cloudflare management helper that expects a Cloudflare API token and zone ID and uses curl to call the official Cloudflare API. Before installing: 1) Confirm the registry metadata (the provided summary lists no required env vars and no homepage, but claw.json and SKILL.md do require CLOUDFLARE_API_TOKEN and CLOUDFLARE_ZONE_ID and list a GitHub homepage). 2) Use a scoped Cloudflare API token (least privilege) rather than a global account token. 3) Back up current DNS and configuration and test in staging wherever possible; operations like deleting records, changing SSL mode, or purging caches can cause outages. 4) Verify you (or the agent) will not run these commands unattended — the SKILL.md requires a planning step before actions; ensure that the agent's use of the skill preserves that human review if you want manual oversight. 5) If you need auditability, ensure logs and Cloudflare audit trails are enabled since the skill issues API calls that change live configuration.
Capability Analysis
Type: OpenClaw Skill Name: cloudflare-guard Version: 0.1.2 The cloudflare-guard skill is a legitimate tool for managing Cloudflare configurations via its official API. It includes a mandatory 'Planning Protocol' that enforces safety checks and state verification before making changes, and it explicitly instructs the agent not to store API tokens in files. No evidence of data exfiltration, malicious execution, or prompt injection was found across SKILL.md or claw.json.
Capability Assessment
Purpose & Capability
The name/description (Cloudflare DNS, caching, WAF, rate limiting, Workers) match the SKILL.md content, which contains concrete curl calls to api.cloudflare.com for DNS, SSL, cache, rate limits, and Workers. Requiring a Cloudflare API token and zone ID is appropriate for this purpose.
Instruction Scope
SKILL.md stays on-task: it instructs the agent to use Cloudflare's API via curl/jq (or platform alternatives), to enumerate current state, build a plan, then perform and verify changes. It does include destructive operations (delete DNS records, purge cache, modify SSL/WAF) but explicitly mandates a planning protocol to avoid accidental outages. It does not instruct reading unrelated local files or sending data to non-Cloudflare endpoints.
Install Mechanism
This is instruction-only (no install spec or code files), which is low risk. The manifest requires curl (present in claw.json) which aligns with SKILL.md. No downloads or archive extracts are present.
Credentials
The skill uses CLOUDFLARE_API_TOKEN and CLOUDFLARE_ZONE_ID as shown in SKILL.md and claw.json (primaryEnv set to the API token), which is appropriate. However, the top-level registry metadata in the provided summary said "Required env vars: none" while claw.json and SKILL.md do require those env vars — this metadata inconsistency should be resolved before trusting automatic installs.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide modifications or secrets beyond its own declared token/zone. Model invocation is allowed (normal for skills) but there is no evidence it will persist itself or modify other skills.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install cloudflare-guard
  3. After installation, invoke the skill by name or use /cloudflare-guard
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.2
## cloudflare-guard 0.1.2 - Added platform compatibility instructions for users without `jq`, especially on Windows. - Skills now include alternative JSON processing commands (`python3 -m json.tool`, `npx json`, or PowerShell's `ConvertFrom-Json`) and instruct checking for `jq` before using. - No breaking changes to API usage or workflow.
v0.1.1
- Updated metadata in claw.json; no changes to user-facing documentation or features. - Maintenance release with internal configuration updates only.
v0.1.0
Initial release of cloudflare-guard skill with robust Cloudflare management protocols for Vercel deployments. - Provides user-invocable routines for DNS, caching, security, rate limiting, and Workers using Cloudflare API v4 and curl. - Implements a strict planning protocol that requires state checks, execution planning, risk assessment, and sequential execution with verification before any Cloudflare API call. - Includes clear troubleshooting guidance for common Cloudflare deployment issues. - Offers ready-to-use curl commands for core DNS, SSL, caching, and security tasks. - Standardizes Cloudflare setups for new Vercel projects, including DNS records, SSL, HTTPS enforcement, rate limiting, and caching strategies.
Metadata
Slug cloudflare-guard
Version 0.1.2
License MIT-0
All-time Installs 5
Active Installs 5
Total Versions 3
Frequently Asked Questions

What is Cloudflare Guard?

Configures and manages Cloudflare DNS, caching, security rules, rate limiting, and Workers. It is an AI Agent Skill for Claude Code / OpenClaw, with 985 downloads so far.

How do I install Cloudflare Guard?

Run "/install cloudflare-guard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Cloudflare Guard free?

Yes, Cloudflare Guard is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Cloudflare Guard support?

Cloudflare Guard is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Cloudflare Guard?

It is built and maintained by Guilherme Favaron (@guifav); the current version is v0.1.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments