SkillTotal

Is Cloudflare MCP server safe?

@cloudflare/mcp-server-cloudflare is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 7 risky constructs are reported for review. It can: filesystem read, filesystem write, install time execution, mcp tools detected, network egress and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).

@cloudflare/mcp-server-cloudflare 1.0.0

npm_package · https://github.com/cloudflare/mcp-server-cloudflare
LOW
0
/ 100 malicious-risk
Snapshot · scanned Jun 20, 2026 · @cloudflare/mcp-server-cloudflare@1.0.0 · engine 0.18.0 / ruleset 19
No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Node.js shell/command execution
  • npm install-time lifecycle hook
  • Dangerous MCP tool capability

No malicious indicators found by static analysis.

Capabilities — what this component can do (not a risk score):
filesystem readfilesystem writeinstall time executionmcp tools detectednetwork egressshell execution

Findings (7)

HIGHnpm install-time lifecycle hookST-INSTALL-NPM

package.json runs scripts automatically when the package is installed.

apps/sandbox-container/package.json:14-14 
"postinstall": "mkdir -p workdir",

Why it matters: Install scripts are a favorite supply-chain foothold — they execute on every machine that installs the package.

Fix: Inspect the hook command. Install-time scripts are a common supply chain execution vector; ensure they do nothing beyond a documented build step.

HIGHDangerous MCP tool capabilityST-MCP-DANGEROUS-TOOL

An MCP tool exposes a powerful capability (files, shell, network, browser, or credentials).

apps/radar/src/tools/radar.tools.ts:1829-1830 
agent.server.registerTool(
		'get_leaked_credentials_data',
apps/sandbox-container/server/containerMcp.ts:132-133 
this.server.registerTool(
			'container_file_write',
apps/sandbox-container/server/containerMcp.ts:169-170 
this.server.registerTool(
			'container_file_read',

Why it matters: Wired into an agent, these grant it real access to your machine — confirm each is required.

Fix: Confirm each powerful tool is required and constrained; broad MCP tools (shell/filesystem/network) grant an agent significant host access.

HIGHNode.js shell/command executionST-SHELL-NODE

The component can run operating-system commands or spawn processes.

apps/ai-gateway/worker-configuration.d.ts:3059-3059 
exec(input?: (string | URLPatternInit), baseURL?: string): URLPatternResult | null;
apps/ai-gateway/worker-configuration.d.ts:11903-11903 
exec(query: string): Promise<D1ExecResult>;
apps/auditlogs/worker-configuration.d.ts:3059-3059 
exec(input?: (string | URLPatternInit), baseURL?: string): URLPatternResult | null;
apps/auditlogs/worker-configuration.d.ts:11903-11903 
exec(query: string): Promise<D1ExecResult>;
apps/autorag/worker-configuration.d.ts:3059-3059 
exec(input?: (string | URLPatternInit), baseURL?: string): URLPatternResult | null;
apps/autorag/worker-configuration.d.ts:11903-11903 
exec(query: string): Promise<D1ExecResult>;
apps/browser-rendering/worker-configuration.d.ts:3059-3059 
exec(input?: (string | URLPatternInit), baseURL?: string): URLPatternResult | null;
apps/browser-rendering/worker-configuration.d.ts:11903-11903 
exec(query: string): Promise<D1ExecResult>;
apps/cloudflare-one-casb/worker-configuration.d.ts:3055-3055 
exec(input?: (string | URLPatternInit), baseURL?: string): URLPatternResult | null;
apps/cloudflare-one-casb/worker-configuration.d.ts:11899-11899 
exec(query: string): Promise<D1ExecResult>;
apps/demo-day/worker-configuration.d.ts:3041-3041 
exec(input?: (string | URLPatternInit), baseURL?: string): URLPatternResult | null;
apps/demo-day/worker-configuration.d.ts:11885-11885 
exec(query: string): Promise<D1ExecResult>;
apps/dex-analysis/worker-configuration.d.ts:3056-3056 
exec(input?: (string | URLPatternInit), baseURL?: string): URLPatternResult | null;
apps/dex-analysis/worker-configuration.d.ts:11900-11900 
exec(query: string): Promise<D1ExecResult>;
apps/dns-analytics/worker-configuration.d.ts:3059-3059 
exec(input?: (string | URLPatternInit), baseURL?: string): URLPatternResult | null;
apps/dns-analytics/worker-configuration.d.ts:11903-11903 
exec(query: string): Promise<D1ExecResult>;
apps/docs-ai-search/worker-configuration.d.ts:3056-3056 
exec(input?: (string | URLPatternInit), baseURL?: string): URLPatternResult | null;
apps/docs-ai-search/worker-configuration.d.ts:11900-11900 
exec(query: string): Promise<D1ExecResult>;
apps/docs-autorag/worker-configuration.d.ts:3056-3056 
exec(input?: (string | URLPatternInit), baseURL?: string): URLPatternResult | null;
apps/docs-autorag/worker-configuration.d.ts:11900-11900 
exec(query: string): Promise<D1ExecResult>;
apps/docs-vectorize/worker-configuration.d.ts:3059-3059 
exec(input?: (string | URLPatternInit), baseURL?: string): URLPatternResult | null;
apps/docs-vectorize/worker-configuration.d.ts:11903-11903 
exec(query: string): Promise<D1ExecResult>;
apps/graphql/worker-configuration.d.ts:3059-3059 
exec(input?: (string | URLPatternInit), baseURL?: string): URLPatternResult | null;
apps/graphql/worker-configuration.d.ts:11903-11903 
exec(query: string): Promise<D1ExecResult>;
apps/logpush/worker-configuration.d.ts:3059-3059 
exec(input?: (string | URLPatternInit), baseURL?: string): URLPatternResult | null;

Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.

Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; prefer execFile with an argument array.

MEDIUMNode.js filesystem readST-FS-NODE-READ

The component reads files from disk.

apps/sandbox-container/container/sandbox.container.app.ts:75-75 
const contents = await fs.readFile(path.join(process.cwd(), reqPath))

Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.

Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.

MEDIUMNode.js filesystem write/deleteST-FS-NODE-WRITE

The component writes or deletes files on disk.

apps/sandbox-container/container/sandbox.container.app.ts:104-104 
await fs.writeFile(reqPath, file.text)
apps/sandbox-container/container/sandbox.container.app.ts:120-120 
await fs.rm(path.join(process.cwd(), reqPath), { recursive: true })

Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.

Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.

MEDIUMNode.js network egressST-NET-NODE

The component makes outbound network requests.

apps/ai-gateway/src/ai-gateway.app.ts:104-104 
}).fetch(req, env, ctx)
apps/ai-gateway/worker-configuration.d.ts:328-328 
fetch(input: RequestInfo | URL, init?: RequestInit<RequestInitCfProperties>): Promise<Response>;
apps/ai-gateway/worker-configuration.d.ts:424-424 
declare function fetch(input: RequestInfo | URL, init?: RequestInit<RequestInitCfProperties>): Promise<Response>;
apps/ai-gateway/worker-configuration.d.ts:517-517 
fetch(request: Request): Response | Promise<Response>;
apps/ai-gateway/worker-configuration.d.ts:1862-1862 
fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
apps/ai-gateway/worker-configuration.d.ts:3682-3682 
*   async fetch(_request: Request, env: Env): Promise<Response> {
apps/ai-gateway/worker-configuration.d.ts:10941-10941 
fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
apps/ai-gateway/worker-configuration.d.ts:14188-14188 
* global `fetch()` API against the result's `url`, at which point the
apps/ai-gateway/worker-configuration.d.ts:14235-14235 
* result's body, fetch the URL with the global `fetch()` API.
apps/ai-gateway/worker-configuration.d.ts:14255-14255 
* const page = await fetch(top.url);
apps/auditlogs/src/auditlogs.app.ts:105-105 
}).fetch(req, env, ctx)
apps/auditlogs/worker-configuration.d.ts:328-328 
fetch(input: RequestInfo | URL, init?: RequestInit<RequestInitCfProperties>): Promise<Response>;
apps/auditlogs/worker-configuration.d.ts:424-424 
declare function fetch(input: RequestInfo | URL, init?: RequestInit<RequestInitCfProperties>): Promise<Response>;
apps/auditlogs/worker-configuration.d.ts:517-517 
fetch(request: Request): Response | Promise<Response>;
apps/auditlogs/worker-configuration.d.ts:1862-1862 
fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
apps/auditlogs/worker-configuration.d.ts:3682-3682 
*   async fetch(_request: Request, env: Env): Promise<Response> {
apps/auditlogs/worker-configuration.d.ts:10941-10941 
fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
apps/auditlogs/worker-configuration.d.ts:14188-14188 
* global `fetch()` API against the result's `url`, at which point the
apps/auditlogs/worker-configuration.d.ts:14235-14235 
* result's body, fetch the URL with the global `fetch()` API.
apps/auditlogs/worker-configuration.d.ts:14255-14255 
* const page = await fetch(top.url);
apps/autorag/src/autorag.app.ts:138-138 
}).fetch(req, env, ctx)
apps/autorag/worker-configuration.d.ts:328-328 
fetch(input: RequestInfo | URL, init?: RequestInit<RequestInitCfProperties>): Promise<Response>;
apps/autorag/worker-configuration.d.ts:424-424 
declare function fetch(input: RequestInfo | URL, init?: RequestInit<RequestInitCfProperties>): Promise<Response>;
apps/autorag/worker-configuration.d.ts:517-517 
fetch(request: Request): Response | Promise<Response>;
apps/autorag/worker-configuration.d.ts:1862-1862 
fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

LOWMCP tool surface detectedST-MCP-DETECTED

An MCP tool surface (manifest or tool definitions) was found.

server.json:1-1 
{
apps/demo-day/src/demo-day.app.ts:40-40 
this.server.registerTool(
apps/dns-analytics/src/tools/dex-analytics.tools.ts:19-19 
agent.server.registerTool(
apps/dns-analytics/src/tools/dex-analytics.tools.ts:100-100 
agent.server.registerTool(
apps/docs-autorag/src/tools/docs-autorag.tools.ts:13-13 
agent.server.registerTool(
apps/graphql/src/tools/graphql.tools.ts:1013-1013 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:188-188 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:233-233 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:270-270 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:315-315 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:367-367 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:410-410 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:455-455 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:493-493 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:555-555 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:614-614 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:675-675 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:736-736 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:780-780 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:824-824 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:877-877 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:930-930 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:995-995 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:1073-1073 
agent.server.registerTool(
apps/radar/src/tools/radar.tools.ts:1139-1139 
agent.server.registerTool(

Why it matters: Just context — review which tools it offers and their permissions.

Fix: Review the declared MCP tools and their permissions.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →