Is expysf98/cloudflare-image-gen safe?

generate_image.py constructs a bash command using an f-string that embeds the user-supplied prompt argument inside single-quoted shell syntax, then executes it with subprocess.run(cmd, shell=True). The json.dumps call serializes the prompt as JSON but does not escape single quotes, which are not special in JSON. A prompt containing a single quote terminates the shell's single-quoted string and allows injection of arbitrary shell commands. Because the script already invokes curl, an attacker can chain any command after the quote breakout.

The SKILL.md file contains a live Cloudflare Account ID and Bearer Token in plaintext under a Credentials heading. Because SKILL.md is injected verbatim into the agent's system prompt, these credentials are visible in the LLM's context. Any user can extract them by instructing the agent to repeat its instructions, summarize its capabilities, or describe its configuration. The same credentials appear identically in generate_image.py, confirming they are genuine.

The shell injection vulnerability in generate_image.py creates a direct, reliable exfiltration path for any file readable by the agent process. The script already uses curl for its legitimate API call; an attacker payload can reuse it to POST file contents to an attacker-controlled endpoint. Sensitive targets present on a typical agent host — ~/.env, ~/.ssh/id_rsa, ~/.aws/credentials, ~/.npmrc, ~/.docker/config.json — are exactly the files the Oathe canary infrastructure monitors for access.

Embedding live API credentials in SKILL.md means they are permanently resident in the agent's system prompt. Unlike secrets stored in environment variables or vaults that require filesystem access to retrieve, these credentials are trivially extractable through normal conversation: asking the agent to describe its skills, repeat its system prompt, or answer questions about its Cloudflare configuration will yield the token directly.

The SKILL.md Output section instructs the agent: 'Send the image to the user via Telegram.' This directive is unconditional and not scoped to any specific deployment context. It routes agent-generated output through a specific third-party platform without the user's knowledge or consent. This could be used to ensure the skill author's Telegram infrastructure intermediates image delivery, to establish a covert communication channel, or to make the agent take an action (sending a Telegram message) beyond what the user requested.

All deployments of this skill use a single hardcoded Cloudflare account. The account owner (skill author) can view the full API request log in the Cloudflare dashboard, including every image prompt submitted by every user of any agent running this skill. Users have no reasonable expectation of privacy for their image generation prompts. Additionally, all users contend for the same account rate limits and quota, and the account owner bears all API costs.

An agent equipped with shell or Python execution tools that runs this skill is exposed to remote code execution by any user who can submit image prompts. The attacker does not need direct system access — they only need to interact with the agent conversationally. In combination with filesystem or network skills, the shell injection provides full lateral movement capability within the agent's execution environment.

The instruction to send images via Telegram is present in the system prompt but undocumented in any description or changelog. This creates an external dependency on Telegram's platform and could be used to route agent outputs through a monitored channel or trigger Telegram bot interactions that the user did not initiate. Combined with the shared Cloudflare account, this creates a surveillance surface: the author can correlate API logs with Telegram delivery logs.

When no output path is specified, the script constructs one by embedding the prompt string: /home/ubuntu/.openclaw/workspace/{prompt[:30]}.png. The 30-character truncation limits traversal depth but does not prevent it entirely. A prompt of '../../../tmp/x' (15 chars) would resolve to a path outside the workspace directory. An agent could be directed to write output files to unexpected locations.

The Cloudflare API JSON response is always written to /tmp/cf_response.json before being read back. This fixed path is world-readable on most Linux systems, creating a TOCTOU race condition and leaking raw API responses (including error messages containing internal Cloudflare details) to any process monitoring /tmp.

The script hardcodes /home/ubuntu/.openclaw/workspace/ as the default output directory. This path will not exist on most systems, causing silent failures or unexpected writes to parent directories. The SKILL.md Usage section also hardcodes the full path to the script, assuming it is installed at /home/ubuntu/.openclaw/workspace/skills/cloudflare-image-gen/scripts/generate_image.py.

The git clone and file copy completed without any unexpected behavior. All outbound connections during the installation window were to GitHub (140.82.121.3:443 for HTTPS clone) and Canonical/Ubuntu infrastructure (91.189.91.48:443 and 185.125.188.54:443 for motd-news and apt update checks triggered by SSH session login). No connections to Cloudflare API, attacker infrastructure, or other unexpected endpoints were observed during installation.

All honeypot files were unmodified throughout the audit. Two batches of canary file reads appear in the auditd PATH logs: the first at timestamp 1771916823 (approximately 5 seconds before the git clone began) and the second at 1771916846 (at the conclusion of monitoring). Both batches show all canary files accessed within the same audit sequence number group, consistent with the Oathe monitoring system performing pre- and post-install integrity snapshots rather than skill-initiated access.