← 返回 Skills 市场
1508
总下载
0
收藏
4
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-cloudflare-secure
功能描述
Securely expose an OpenClaw Gateway WebUI on a VPS via Cloudflare Zero Trust Access + Cloudflare Tunnel (cloudflared), including DNS cutover for custom hostnames and optional cleanup of Tailscale Serve.
安全使用建议
Before installing, be aware of these points:
- The SKILL.md and scripts require a CLOUDFLARE_API_TOKEN (and a separate cloudflared tunnel token) even though the registry metadata says none — do not rely solely on the registry summary when deciding to provide credentials.
- Provide a token with the least-privilege permissions recommended (Zone:DNS:Edit + Zone:Zone:Read) and rotate/revoke it after use if appropriate.
- The dns_point_hostname_to_tunnel.sh script will delete any existing A/AAAA/CNAME records for the hostname — back up DNS records or confirm you want that change before running.
- install_cloudflared.sh downloads and installs a .deb from GitHub without checksum verification; consider verifying the release manually or installing cloudflared via your distro's package manager or a signed artifact if you need stronger supply-chain assurance.
- The scripts require sudo (systemctl, dpkg) and assume amd64; verify target host architecture and run in a controlled environment first.
- If you need higher assurance, review the cf_dns.py and shell scripts line-by-line, and test in a non-production environment. Ask the publisher to update the registry metadata to declare CLOUDFLARE_API_TOKEN as a required env var and to add checksum verification for the downloaded package.
功能分析
Type: OpenClaw Skill
Name: openclaw-cloudflare-secure
Version: 1.0.0
This skill is classified as suspicious due to its reliance on high-privilege operations and sensitive API token usage, even though these are necessary for its stated purpose. Specifically, the `scripts/install_cloudflared.sh` script downloads and installs software from an external source using `wget` and `sudo dpkg -i`, and `scripts/tunnel_service_install.sh` installs and enables a system service using `sudo cloudflared service install` and `sudo systemctl enable --now cloudflared`. Furthermore, `scripts/cf_dns.py` and its wrappers (`dns_create_record.sh`, `dns_point_hostname_to_tunnel.sh`) manage Cloudflare DNS records using a `CLOUDFLARE_API_TOKEN`, which grants significant control over DNS. While these actions are directly aligned with the goal of setting up a Cloudflare Tunnel and DNS, the inherent risks associated with `sudo` and API token management warrant a 'suspicious' classification, as per the defined threshold for risky capabilities without clear malicious intent.
能力评估
Purpose & Capability
Functionality matches the name/description: it installs cloudflared, configures a tunnel, and manages Cloudflare DNS to point a hostname at the tunnel. However, the registry metadata claims no required environment variables while the SKILL.md and cf_dns.py require CLOUDFLARE_API_TOKEN — an incoherence between claim and actual requirements.
Instruction Scope
SKILL.md is prescriptive and stays on-topic: it instructs installing cloudflared, running a service install with a tunnel token, creating an Access app in the Zero Trust UI, and creating/upserting DNS records. The scripts will delete existing A/AAAA/CNAME records for a hostname (explicitly), which is disruptive but consistent with the stated 'DNS cutover' purpose. All network calls are to Cloudflare API or GitHub releases; no unexpected external endpoints are present.
Install Mechanism
install_cloudflared.sh downloads an official GitHub release .deb and installs it with dpkg. The source domain (github.com/cloudflare/cloudflared) is legitimate, but there is no checksum/signature verification in the script — this increases risk slightly compared with a verified package install.
Credentials
The code and documentation require CLOUDFLARE_API_TOKEN (and you must provide a tunnel token at runtime). The token requirement is appropriate for DNS edits and is scoped in the docs to least-privilege permissions, but the skill registry metadata incorrectly lists no required env vars. That mismatch is important: if you rely on registry metadata to decide whether to grant tokens, it understates the required credential access.
Persistence & Privilege
The skill does not request 'always: true'. The scripts enable a systemd service (cloudflared), which is expected for a tunnel. The skill does not modify other skills' configs or ask for system-wide agent settings beyond installing and enabling cloudflared.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-cloudflare-secure - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-cloudflare-secure触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: Cloudflare Tunnel + Access pattern for OpenClaw WebUI; includes bundled DNS helper for least-privilege subdomain/record management.
元数据
常见问题
OpenClaw Cloudflare Secure 是什么?
Securely expose an OpenClaw Gateway WebUI on a VPS via Cloudflare Zero Trust Access + Cloudflare Tunnel (cloudflared), including DNS cutover for custom hostnames and optional cleanup of Tailscale Serve. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1508 次。
如何安装 OpenClaw Cloudflare Secure?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-cloudflare-secure」即可一键安装,无需额外配置。
OpenClaw Cloudflare Secure 是免费的吗?
是的,OpenClaw Cloudflare Secure 完全免费(开源免费),可自由下载、安装和使用。
OpenClaw Cloudflare Secure 支持哪些平台?
OpenClaw Cloudflare Secure 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OpenClaw Cloudflare Secure?
由 jskoiz(@jskoiz)开发并维护,当前版本 v1.0.0。
推荐 Skills