← Back to Skills Marketplace
1508
Downloads
0
Stars
4
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-cloudflare-secure
Description
Securely expose an OpenClaw Gateway WebUI on a VPS via Cloudflare Zero Trust Access + Cloudflare Tunnel (cloudflared), including DNS cutover for custom hostnames and optional cleanup of Tailscale Serve.
Usage Guidance
Before installing, be aware of these points:
- The SKILL.md and scripts require a CLOUDFLARE_API_TOKEN (and a separate cloudflared tunnel token) even though the registry metadata says none — do not rely solely on the registry summary when deciding to provide credentials.
- Provide a token with the least-privilege permissions recommended (Zone:DNS:Edit + Zone:Zone:Read) and rotate/revoke it after use if appropriate.
- The dns_point_hostname_to_tunnel.sh script will delete any existing A/AAAA/CNAME records for the hostname — back up DNS records or confirm you want that change before running.
- install_cloudflared.sh downloads and installs a .deb from GitHub without checksum verification; consider verifying the release manually or installing cloudflared via your distro's package manager or a signed artifact if you need stronger supply-chain assurance.
- The scripts require sudo (systemctl, dpkg) and assume amd64; verify target host architecture and run in a controlled environment first.
- If you need higher assurance, review the cf_dns.py and shell scripts line-by-line, and test in a non-production environment. Ask the publisher to update the registry metadata to declare CLOUDFLARE_API_TOKEN as a required env var and to add checksum verification for the downloaded package.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-cloudflare-secure
Version: 1.0.0
This skill is classified as suspicious due to its reliance on high-privilege operations and sensitive API token usage, even though these are necessary for its stated purpose. Specifically, the `scripts/install_cloudflared.sh` script downloads and installs software from an external source using `wget` and `sudo dpkg -i`, and `scripts/tunnel_service_install.sh` installs and enables a system service using `sudo cloudflared service install` and `sudo systemctl enable --now cloudflared`. Furthermore, `scripts/cf_dns.py` and its wrappers (`dns_create_record.sh`, `dns_point_hostname_to_tunnel.sh`) manage Cloudflare DNS records using a `CLOUDFLARE_API_TOKEN`, which grants significant control over DNS. While these actions are directly aligned with the goal of setting up a Cloudflare Tunnel and DNS, the inherent risks associated with `sudo` and API token management warrant a 'suspicious' classification, as per the defined threshold for risky capabilities without clear malicious intent.
Capability Assessment
Purpose & Capability
Functionality matches the name/description: it installs cloudflared, configures a tunnel, and manages Cloudflare DNS to point a hostname at the tunnel. However, the registry metadata claims no required environment variables while the SKILL.md and cf_dns.py require CLOUDFLARE_API_TOKEN — an incoherence between claim and actual requirements.
Instruction Scope
SKILL.md is prescriptive and stays on-topic: it instructs installing cloudflared, running a service install with a tunnel token, creating an Access app in the Zero Trust UI, and creating/upserting DNS records. The scripts will delete existing A/AAAA/CNAME records for a hostname (explicitly), which is disruptive but consistent with the stated 'DNS cutover' purpose. All network calls are to Cloudflare API or GitHub releases; no unexpected external endpoints are present.
Install Mechanism
install_cloudflared.sh downloads an official GitHub release .deb and installs it with dpkg. The source domain (github.com/cloudflare/cloudflared) is legitimate, but there is no checksum/signature verification in the script — this increases risk slightly compared with a verified package install.
Credentials
The code and documentation require CLOUDFLARE_API_TOKEN (and you must provide a tunnel token at runtime). The token requirement is appropriate for DNS edits and is scoped in the docs to least-privilege permissions, but the skill registry metadata incorrectly lists no required env vars. That mismatch is important: if you rely on registry metadata to decide whether to grant tokens, it understates the required credential access.
Persistence & Privilege
The skill does not request 'always: true'. The scripts enable a systemd service (cloudflared), which is expected for a tunnel. The skill does not modify other skills' configs or ask for system-wide agent settings beyond installing and enabling cloudflared.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-cloudflare-secure - After installation, invoke the skill by name or use
/openclaw-cloudflare-secure - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Cloudflare Tunnel + Access pattern for OpenClaw WebUI; includes bundled DNS helper for least-privilege subdomain/record management.
Metadata
Frequently Asked Questions
What is OpenClaw Cloudflare Secure?
Securely expose an OpenClaw Gateway WebUI on a VPS via Cloudflare Zero Trust Access + Cloudflare Tunnel (cloudflared), including DNS cutover for custom hostnames and optional cleanup of Tailscale Serve. It is an AI Agent Skill for Claude Code / OpenClaw, with 1508 downloads so far.
How do I install OpenClaw Cloudflare Secure?
Run "/install openclaw-cloudflare-secure" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw Cloudflare Secure free?
Yes, OpenClaw Cloudflare Secure is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OpenClaw Cloudflare Secure support?
OpenClaw Cloudflare Secure is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw Cloudflare Secure?
It is built and maintained by jskoiz (@jskoiz); the current version is v1.0.0.
More Skills