← 返回 Skills 市场

Cloudflare Manager

Name: Cloudflare Manager
Author: 1999azzar

作者 azzar budiyanto · GitHub ↗ · v1.1.0

cross-platform ⚠ suspicious

1369

总下载

当前安装

版本数

在 OpenClaw 中安装

/install cloudflare-manager

功能描述

Manage Cloudflare DNS records, Tunnels (cloudflared), and Zero Trust policies. Use for pointing domains, exposing local services via tunnels, and updating in...

使用说明 (SKILL.md)

Cloudflare Manager

Standardized system for managing Cloudflare infrastructure and local tunnel ingress.

Prerequisites

Binary: python3 and cloudflared must be installed.
Credentials: CLOUDFLARE_API_TOKEN (minimal Zone permissions) and CLOUDFLARE_ZONE_ID.

Setup

Define credentials in the environment or a local .env file.
Initialize the local environment: bash scripts/install.sh.

Core Workflows

1. DNS Management

Add, list, or delete DNS records via Cloudflare API.

List: python3 $WORKSPACE/skills/cloudflare-manager/scripts/cf_manager.py list-dns
Add: python3 $WORKSPACE/skills/cloudflare-manager/scripts/cf_manager.py add-dns --type A --name \x3Csubdomain> --content \x3Cip>

2. Tunnel Ingress (Local)

Update /etc/cloudflared/config.yml and restart the tunnel service.

Update: python3 $WORKSPACE/skills/cloudflare-manager/scripts/cf_manager.py update-ingress --hostname \x3Chost> --service \x3Curl>
Safety: Use --dry-run to preview configuration changes before application.

Security & Permissions

Sudo Usage: The update-ingress command requires sudo to write to system directories and restart the cloudflared service.
Least Privilege: Configure restricted sudo access using the pattern in references/sudoers.example.
Token Isolation: Ensure API tokens are scoped narrowly to specific zones and permissions.

Reference

Sudoers Pattern: See references/sudoers.example.
Tunnel Logic: See references/tunnel-guide.md.

安全使用建议

This skill appears to do what it says (manage Cloudflare DNS and cloudflared ingress) and installs only Python dependencies into a local virtualenv, but it will attempt privileged operations on the host: editing /etc/cloudflared/config.yml and restarting the cloudflared systemd service via sudo. Before installing or running: 1) Verify CLOUDFLARE_API_TOKEN is scoped to the minimum necessary permissions and intended zone. 2) Inspect scripts/cf_manager.py yourself and run commands with --dry-run to preview changes. 3) Confirm cloudflared is installed and CONFIG_PATH (/etc/cloudflared/config.yml) is correct for your system. 4) Because the tool uses sudo, create a restricted sudoers rule (the docs reference a sudoers.example, but that file is not included) limiting the allowed commands (e.g., tee /etc/cloudflared/config.yml and systemctl restart cloudflared). 5) Run the install script in a safe environment to create the venv and review packages installed. If you need tighter assurance, request the missing sudoers.example and explicit Zero Trust policy management details from the author.

功能分析

Type: OpenClaw Skill Name: cloudflare-manager Version: 1.1.0 The skill is classified as suspicious due to significant vulnerabilities, primarily in `scripts/cf_manager.py`. The `update_ingress` function directly inserts user-provided `hostname` and `service` arguments into the `/etc/cloudflared/config.yml` file without sanitization. This creates a high risk of command injection or YAML injection if the `cloudflared` binary or its YAML parser can be exploited by crafted input, potentially leading to arbitrary code execution. Additionally, the skill explicitly requires and uses `sudo` for reading/writing system configuration files (`/etc/cloudflared/config.yml`) and restarting the `cloudflared` service, which, if `sudoers` is not configured with strict least privilege as advised in `SKILL.md`, presents a privilege escalation vulnerability.

能力评估

ℹ Purpose & Capability

Name, description, required binaries (python3, cloudflared), and required env vars (CLOUDFLARE_API_TOKEN, CLOUDFLARE_ZONE_ID) align with a Cloudflare DNS/tunnel manager. Minor mismatch: the description mentions 'Zero Trust policies' but the CLI implements DNS, zone settings (update_setting), and ingress updates; there is no explicit high-level Zero Trust policy management surface in the code.

ℹ Instruction Scope

SKILL.md and cf_manager.py stick to Cloudflare API calls and editing cloudflared config. However, the runtime instructions and script will read/write /etc/cloudflared/config.yml and restart the cloudflared systemd service using sudo. The docs reference references/sudoers.example for least-privilege sudo configuration, but that file is not present in the provided manifest — an inconsistency to resolve. The SKILL.md also uses $WORKSPACE paths which may not exist in all runtimes.

✓ Install Mechanism

Install is local: scripts/install.sh creates a virtualenv and pip-installs 'requests' and 'PyYAML' from requirements.txt. No remote, arbitrary archive downloads or obscure third-party installers are used.

✓ Credentials

Only Cloudflare credentials are required (CLOUDFLARE_API_TOKEN, CLOUDFLARE_ZONE_ID). The script also accepts CF_API_TOKEN / CF_ZONE_ID as fallbacks, which is reasonable. No unrelated credentials or broad secrets are requested.

ℹ Persistence & Privilege

The skill is not always-enabled and does not demand persistent platform privileges. It does, however, require sudo to update system config and restart cloudflared for the 'update-ingress' workflow — a legitimate need for this functionality but high-privilege. Ensure sudo is scoped tightly (the SKILL.md suggests this) before allowing these operations.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install cloudflare-manager
安装完成后，直接呼叫该 Skill 的名称或使用 /cloudflare-manager 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.1.0

Addressed audit findings: declared env requirements (API Token, Zone ID), verified manifest inclusion of sudoers.example, and standardized metadata.

v1.0.2

- Added installation instructions for Python dependencies and a setup script. - Introduced requirements.txt and install.sh for streamlined environment setup. - Updated usage examples to use the local virtual environment Python. - Enhanced security guidance: now references a sample sudoers file for tighter privilege control.

v1.0.1

Version 1.0.1 - Updated configuration instructions to specify required environment variables: CLOUDFLARE_API_TOKEN and CLOUDFLARE_ZONE_ID, with legacy support for CF_API_TOKEN and CF_ZONE_ID. - Added a detailed section for command-line usage of scripts/cf_manager.py, including syntax, options, and practical examples. - Clarified security requirements, including API token permissions and sudo access for privileged commands. - Added guidance on using the --dry-run option to safely preview configuration changes. - Improved documentation structure and clarity for setup and operation.

v1.0.0

Cloudflare Manager 1.0.0 initial release: - Manage Cloudflare DNS records (add, edit, delete A/CNAME). - Set up and configure Cloudflare Tunnels using cloudflared. - Manage Zero Trust security policies, including Access and WAF rules. - Provides setup instructions and security best practices. - Outputs commands or API requests for cloud operations.

元数据

Slug cloudflare-manager

版本 1.1.0

许可证 —

累计安装 7

当前安装数 7

历史版本数 4

常见问题