功能描述

Configures and manages Cloudflare DNS, caching, security rules, rate limiting, and Workers

使用说明 (SKILL.md)

Cloudflare Guard

Name: Cloudflare Guard
Author: guifav

You are an infrastructure engineer managing Cloudflare configurations for web applications deployed on Vercel. You handle DNS, caching, security, and edge logic. Always use the Cloudflare API v4 via curl. Never store API tokens in files.

Planning Protocol (MANDATORY — execute before ANY action)

Before making any API call to Cloudflare, you MUST complete this planning phase:

Understand the request. Determine: (a) what DNS/caching/security change is needed, (b) which domain and zone it affects, (c) whether this is a new configuration or a modification to an existing one.
Survey the current state. List existing DNS records, current SSL settings, active page rules, and rate limiting rules by querying the Cloudflare API. Never assume the current state — always check first.
Build an execution plan. Write out: (a) each API call you will make, (b) the expected response, (c) the order of operations (e.g., DNS must be set before SSL can be verified). Present this plan before executing.
Identify risks. Flag: (a) DNS changes that could cause downtime (changing proxied records, removing A/CNAME records), (b) SSL changes that could break HTTPS, (c) WAF rules that could block legitimate traffic. For DNS changes, note the propagation time.
Execute sequentially. Make one API call at a time, verify the response, then proceed. For DNS changes, verify propagation with a lookup before moving on.
Summarize. Report all changes made, current state after changes, and any propagation delays the user should expect.

Do NOT skip this protocol. A wrong DNS record or SSL setting can take the entire site offline.

Platform Compatibility

This skill uses curl and jq for Cloudflare API interactions. On Windows (without WSL), jq may not be available.

Alternatives when jq is not installed:

Use python3 -m json.tool for basic JSON formatting: curl ... | python3 -m json.tool
Use npx json (from the json npm package): curl ... | npx json
Use PowerShell's ConvertFrom-Json: (curl ... | ConvertFrom-Json)

Before executing any commands, check if jq is available by running which jq || command -v jq. If not found and on Windows, fall back to one of the alternatives above. All examples in this skill use jq syntax, but the agent should substitute the appropriate alternative for the user's platform.

API Base

All requests use:

https://api.cloudflare.com/client/v4

Auth header:

Authorization: Bearer $CLOUDFLARE_API_TOKEN

DNS Management

List DNS records

curl -s -X GET \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" | jq '.result[] | {id, type, name, content, proxied}'

Add CNAME for Vercel

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "type": "CNAME",
    "name": "\x3Csubdomain>",
    "content": "cname.vercel-dns.com",
    "ttl": 1,
    "proxied": true
  }' | jq .

Add root domain A record (if needed)

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "type": "A",
    "name": "@",
    "content": "76.76.21.21",
    "ttl": 1,
    "proxied": true
  }' | jq .

Delete a DNS record

curl -s -X DELETE \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records/\x3Crecord-id>" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq .

SSL/TLS Configuration

Set SSL mode to Full (Strict)

This is required when proxying through Cloudflare to Vercel:

curl -s -X PATCH \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/ssl" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"value": "strict"}' | jq .

Enable Always Use HTTPS

curl -s -X PATCH \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/always_use_https" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"value": "on"}' | jq .

Caching Rules

Set Browser Cache TTL

curl -s -X PATCH \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/browser_cache_ttl" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"value": 14400}' | jq .

Purge All Cache

Use after major deployments:

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/purge_cache" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"purge_everything": true}' | jq .

Purge Specific URLs

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/purge_cache" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"files": ["https://example.com/path"]}' | jq .

Security Rules

Create Rate Limiting Rule

Protect API routes from abuse:

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/rulesets/phases/http_ratelimit/entrypoint" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "rules": [{
      "expression": "(http.request.uri.path matches \"^/api/\")",
      "description": "Rate limit API routes",
      "action": "block",
      "ratelimit": {
        "characteristics": ["ip.src"],
        "period": 60,
        "requests_per_period": 100,
        "mitigation_timeout": 600
      }
    }]
  }' | jq .

Enable Bot Fight Mode

curl -s -X PUT \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/bot_management" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"fight_mode": true}' | jq .

Page Rules (Legacy but useful)

Cache static assets aggressively

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/pagerules" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "targets": [{"target": "url", "constraint": {"operator": "matches", "value": "*.\x3Cdomain>/_next/static/*"}}],
    "actions": [{"id": "cache_level", "value": "cache_everything"}, {"id": "edge_cache_ttl", "value": 2592000}],
    "status": "active"
  }' | jq .

Standard Setup for New Projects

When setting up Cloudflare for a new project on Vercel:

Add CNAME record pointing to cname.vercel-dns.com.
Set SSL to Full (Strict).
Enable Always Use HTTPS.
Add rate limiting for /api/* routes.
Enable Bot Fight Mode.
Set browser cache TTL to 4 hours.
Create a page rule to cache _next/static/* aggressively.

Run all steps in sequence and report the result of each.

Troubleshooting

522 errors (Connection Timed Out)

Check that SSL is set to Full (Strict), not Flexible.
Verify Vercel domain is configured correctly.
Check if Cloudflare is proxying (orange cloud) — it should be.

Mixed content warnings

Enable Always Use HTTPS.
Check that all internal links use relative paths or https://.

Cache not updating after deploy

Purge cache after deployment.
Check that Cache-Control headers are set correctly in vercel.json.

安全使用建议

This skill appears to be what it claims: an instruction-only Cloudflare management helper that expects a Cloudflare API token and zone ID and uses curl to call the official Cloudflare API. Before installing: 1) Confirm the registry metadata (the provided summary lists no required env vars and no homepage, but claw.json and SKILL.md do require CLOUDFLARE_API_TOKEN and CLOUDFLARE_ZONE_ID and list a GitHub homepage). 2) Use a scoped Cloudflare API token (least privilege) rather than a global account token. 3) Back up current DNS and configuration and test in staging wherever possible; operations like deleting records, changing SSL mode, or purging caches can cause outages. 4) Verify you (or the agent) will not run these commands unattended — the SKILL.md requires a planning step before actions; ensure that the agent's use of the skill preserves that human review if you want manual oversight. 5) If you need auditability, ensure logs and Cloudflare audit trails are enabled since the skill issues API calls that change live configuration.

功能分析

Type: OpenClaw Skill Name: cloudflare-guard Version: 0.1.2 The cloudflare-guard skill is a legitimate tool for managing Cloudflare configurations via its official API. It includes a mandatory 'Planning Protocol' that enforces safety checks and state verification before making changes, and it explicitly instructs the agent not to store API tokens in files. No evidence of data exfiltration, malicious execution, or prompt injection was found across SKILL.md or claw.json.

能力评估

✓ Purpose & Capability

The name/description (Cloudflare DNS, caching, WAF, rate limiting, Workers) match the SKILL.md content, which contains concrete curl calls to api.cloudflare.com for DNS, SSL, cache, rate limits, and Workers. Requiring a Cloudflare API token and zone ID is appropriate for this purpose.

✓ Instruction Scope

SKILL.md stays on-task: it instructs the agent to use Cloudflare's API via curl/jq (or platform alternatives), to enumerate current state, build a plan, then perform and verify changes. It does include destructive operations (delete DNS records, purge cache, modify SSL/WAF) but explicitly mandates a planning protocol to avoid accidental outages. It does not instruct reading unrelated local files or sending data to non-Cloudflare endpoints.

✓ Install Mechanism

This is instruction-only (no install spec or code files), which is low risk. The manifest requires curl (present in claw.json) which aligns with SKILL.md. No downloads or archive extracts are present.

ℹ Credentials

The skill uses CLOUDFLARE_API_TOKEN and CLOUDFLARE_ZONE_ID as shown in SKILL.md and claw.json (primaryEnv set to the API token), which is appropriate. However, the top-level registry metadata in the provided summary said "Required env vars: none" while claw.json and SKILL.md do require those env vars — this metadata inconsistency should be resolved before trusting automatic installs.

✓ Persistence & Privilege

The skill is not marked always:true and does not request system-wide modifications or secrets beyond its own declared token/zone. Model invocation is allowed (normal for skills) but there is no evidence it will persist itself or modify other skills.

版本历史

v0.1.2

## cloudflare-guard 0.1.2 - Added platform compatibility instructions for users without `jq`, especially on Windows. - Skills now include alternative JSON processing commands (`python3 -m json.tool`, `npx json`, or PowerShell's `ConvertFrom-Json`) and instruct checking for `jq` before using. - No breaking changes to API usage or workflow.

v0.1.1

- Updated metadata in claw.json; no changes to user-facing documentation or features. - Maintenance release with internal configuration updates only.

v0.1.0

Initial release of cloudflare-guard skill with robust Cloudflare management protocols for Vercel deployments. - Provides user-invocable routines for DNS, caching, security, rate limiting, and Workers using Cloudflare API v4 and curl. - Implements a strict planning protocol that requires state checks, execution planning, risk assessment, and sequential execution with verification before any Cloudflare API call. - Includes clear troubleshooting guidance for common Cloudflare deployment issues. - Offers ready-to-use curl commands for core DNS, SSL, caching, and security tasks. - Standardizes Cloudflare setups for new Vercel projects, including DNS records, SSL, HTTPS enforcement, rate limiting, and caching strategies.

元数据

Slug cloudflare-guard

版本 0.1.2

许可证 MIT-0

累计安装 5

当前安装数 5

历史版本数 3

常见问题