Skill Trust Decision
buy-domain-helper
Skill has multiple undeclared shell execution patterns, supply-chain risk from npx -y arbitrary package execution, and potential command injection from unsanitized user inputs passed to wrangler CLI.
Most direct threat evidence
High Priv Escalation
Undeclared shell execution via execSync and spawn site.js performs execSync('which cloudflared'), execSync('brew install cloudflared'), execSync(wrangler ...), spawn('cloudflared'...), spawn('npx'...) — all shell execution — but SKILL.md declares env:[] and only lists bins:[node,cloudflared,wrangler] with no shell or network declarations.
site.js:70-71, 90, 102 Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
4 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
8 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
What drove the risk score up
Undeclared shell: execSync for wrangler and brew install +20
site.js uses execSync extensively but SKILL.md env:[] and bins:[node,cloudflared,wrangler] declare no shell execution capability. wrangler and brew are not declared as allowed tools.
Undeclared npx arbitrary package execution +15
site.js line 90: spawn('npx', ['-y', 'serve', target, ...]) downloads and executes an arbitrary unpinned npm package at runtime. Not mentioned in SKILL.md or README.
Undeclared environment variable access +10
site.js reads CF_API_TOKEN, CF_ACCOUNT_ID, CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID from process.env, but SKILL.md declares env:[]. Also reads full process.env inherited to child processes.
Undeclared dependency on npm/pip package availability +5
skill relies on npx serve being available from npm registry with no version pinning or lockfile.
Command injection risk in wrangler CLI invocation +5
projectName and dir are interpolated into execSync shell strings without sanitization (lines 102, 103). Malformed input could alter wrangler behavior.
Most important evidence
High Priv Escalation
Undeclared shell execution via execSync and spawn
site.js performs execSync('which cloudflared'), execSync('brew install cloudflared'), execSync(wrangler ...), spawn('cloudflared'...), spawn('npx'...) — all shell execution — but SKILL.md declares env:[] and only lists bins:[node,cloudflared,wrangler] with no shell or network declarations.
site.js:70-71, 90, 102 Declare shell:WRITE and network:READ in SKILL.md metadata. Replace brew install with a clear error message requiring manual installation. Remove npx serve or pin it as a dependency.
High Supply Chain
npx -y serve downloads and executes arbitrary unpinned npm package at runtime
site.js line 90 executes 'npx -y serve' to serve static files before tunneling. This downloads and runs the latest 'serve' package from npm without version pinning, creating a supply-chain attack vector. The serve package is not in package.json dependencies.
site.js:90 Add 'serve' as a pinned dependency in package.json and invoke it via local node_modules instead of npx.
Medium Doc Mismatch
NETA_TOKEN environment variable declared in package.json but absent from SKILL.md
package.json clawhub.env section declares a required NETA_TOKEN env var for 'Neta AI API token', but SKILL.md declares env:[] (empty array). This undeclared environment dependency is a doc-to-code mismatch.
package.json:7 Add NETA_TOKEN to SKILL.md env array with description, or remove from package.json if unused in site.js.
Medium RCE
Command injection risk: unsanitized user inputs in shell commands
execSync on line 102-103 interpolates projectName and dir (from user-provided CLI args) directly into a shell command string passed to wrangler. While wrangler likely handles this safely, passing arbitrary strings to shell without validation is risky.
site.js:102 Validate that projectName matches expected pattern (alphanumeric, hyphens). Enforce dir exists and is within expected paths.
Medium Priv Escalation
Full process.env inherited by child processes
site.js line 104 passes the entire process.env to wrangler via env:{...process.env, CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID}. This exposes all environment variables (including potentially sensitive ones) to the child process.
site.js:104 Pass only the specific environment variables needed (CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID, PATH) without spreading process.env.
Declared capability vs actual capability
Shell Block
Declared NONE
→ Inferred WRITE
site.js:70 execSync('which cloudflared'); site.js:71 execSync('brew install cloudflared'); site.js:102 execSync(wrangler command) Network Block
Declared NONE
→ Inferred READ
site.js:26 fetches api.cloudflare.com; site.js:90 spawns npx which reaches npm registry Environment Block
Declared NONE
→ Inferred READ
site.js:29-30 reads CF_API_TOKEN, CF_ACCOUNT_ID; site.js:104 passes full process.env to child process Filesystem Block
Declared NONE
→ Inferred WRITE
site.js:90 npx serve writes to disk in /tmp; wrangler deploy writes build artifacts Suspicious artifacts and egress
Medium External URL
https://abc.trycloudflare.com README.md:41
Medium External URL
https://*.trycloudflare.com README.md:65
Medium External URL
https://dash.cloudflare.com/profile/api-tokens README.md:81
Medium External URL
https://abc123.my-site.pages.dev README.md:88
Medium External URL
https://dash.cloudflare.com/ README.md:110
Medium External URL
https://mysite.com README.md:149
Medium External URL
https://www.neta.art/open/ package.json:9
Medium External URL
https://api.cloudflare.com/client/v4 site.js:26
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| serve | unpinned | npm (via npx -y) | No | Not listed in package.json; downloaded at runtime via npx -y without version pin — supply-chain risk |
| cloudflared | unpinned | Homebrew | No | Installed via brew install if missing, not declared in package.json |
| wrangler | unpinned | npm/global | No | Required binary, not declared in package.json |
File composition
4 files · 420 lines
Markdown 2 files · 240 linesJavaScript 1 files · 166 linesJSON 1 files · 14 lines
Files of concern · 3
site.js Undeclared shell execution via execSync and spawn · npx -y serve downloads and executes arbitrary unpinned npm package at runtime · Command injection risk: unsanitized user inputs in shell commands · Full process.env inherited by child processes · https://api.cloudflare.com/client/v4
README.md https://abc.trycloudflare.com · https://*.trycloudflare.com · https://dash.cloudflare.com/profile/api-tokens · https://abc123.my-site.pages.dev · https://dash.cloudflare.com/ · https://mysite.com
package.json NETA_TOKEN environment variable declared in package.json but absent from SKILL.md · https://www.neta.art/open/
Other files · SKILL.md
Security positives
No credential exfiltration — tokens are used only for Cloudflare API calls
README.md is thorough and transparently documents the tunnel, pages, and DNS layers
No base64-encoded payloads or obfuscated code
No attempt to access ~/.ssh, ~/.aws, .env, or other sensitive paths
No persistence mechanisms (cron, startup hooks, backdoors) detected
API calls are limited to official Cloudflare API endpoints