Scan Report
5 /100
Dev & Deploy
快速创建并部署 Web 应用到 Cloudflare Pages;包含文件覆盖、Git推送与系统修改的安全确认机制
Legitimate Dev & Deploy tool for Cloudflare Pages with properly documented shell execution and filesystem operations.
Safe to install
No security concerns. The skill is safe to use with standard precautions.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | deploy.js:360 (fs.writeFileSync), deploy.js:280 (fs.cpSync) |
| Shell | WRITE | WRITE | ✓ Aligned | deploy.js:115 (execSync for git --version), deploy.js:490 (git operations), depl… |
| Network | READ | READ | ✓ Aligned | deploy.js:575 (fetch() for deployment testing) |
| Environment | READ | READ | ✓ Aligned | deploy.js:80 (CLOUDFLARE_API_TOKEN read for deployment) |
2 findings
Medium External URL 外部 URL
https://dash.cloudflare.com/profile/api-tokens SKILL.md:62 Medium External URL 外部 URL
https://developers.cloudflare.com/fundamentals/api/get-started/create-token/ SKILL.md:63 File Tree
2 files · 26.2 KB · 917 lines JavaScript 1f · 765L
Markdown 1f · 152L
├─
deploy.js
JavaScript
└─
SKILL.md
Markdown
Security Positives
✓ Comprehensive SKILL.md documentation with security confirmation workflow
✓ User confirmation required before destructive operations (file overwrite, git push, system installs)
✓ Project name validation to prevent arbitrary path traversal
✓ Cloudflare API token read from environment only, not hardcoded or exfiltrated
✓ No arbitrary code execution - only documented CLI tools (git, gh, wrangler)
✓ Git operations limited to user-authorized repositories
✓ Clean subprocess usage with proper argument handling (execFileSync over execSync for arguments)
✓ No credential exfiltration - token used only for Cloudflare API calls
✓ No obfuscation or base64-encoded commands
✓ Native Node.js only - no external dependencies to供应链 attack surface