ClawHub
Code PluginExecutes codesource-linked

Cloudflare

Native OpenClaw Cloudflare plugin for zones, DNS records, and cache purge workflows

Community code plugin. Review compatibility and verification before install.
cloudflare · runtime id cloudflare
Install
openclaw plugins install clawhub:cloudflare
Latest Release
Version 0.1.0
Compatibility
{
  "builtWithOpenClawVersion": "2026.3.23-2",
  "pluginApiRange": ">=2026.3.23"
}
Capabilities
{
  "bundledSkills": [],
  "capabilityTags": [
    "executes-code"
  ],
  "channels": [],
  "commandNames": [],
  "configSchema": true,
  "configUiHints": false,
  "executesCode": true,
  "hooks": [],
  "httpRouteCount": 0,
  "materializesDependencies": false,
  "providers": [],
  "runtimeId": "cloudflare",
  "serviceNames": [],
  "setupEntry": false,
  "toolNames": []
}
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the implementation: tools for zone discovery, DNS management, and cache purge. However, registry metadata claimed no required config/credentials while openclaw.plugin.json and code require a Cloudflare apiToken — this mismatch should be resolved.
Instruction Scope
SKILL.md only instructs how to build/install the plugin and how to configure it with a Cloudflare API token; runtime behaviour is limited to listing zones/DNS records, upserting/deleting records, and purging cache via api.cloudflare.com. It does not instruct reading unrelated files or exfiltrating data to unexpected endpoints.
Install Mechanism
There is no registry 'install' spec, but the package contains source, package.json and build steps (npm install, npm run build, openclaw plugins install .). This is not high-risk (no external arbitrary downloads), but the registry metadata marking it instruction-only is inconsistent with the included code and build instructions.
!
Credentials
The plugin legitimately requires a Cloudflare API token (and openclaw.plugin.json marks apiToken as required and sensitive). Registry-level fields listed no required credentials/env vars — that inconsistency is concerning because users might not be warned that a sensitive token must be supplied and stored in plugin config. Ensure the token is scoped to least privilege (DNS/Edit, Cache Purge, Zone:Read as needed) and that you trust where the config is stored.
Persistence & Privilege
The plugin does not request always:true, does not modify other plugins, and relies on normal OpenClaw plugin installation/configuration. It will run as a registered plugin and can be invoked by the agent (disable-model-invocation is false by default), which is standard.
Scan Findings in Context
[no-findings] expected: Static pre-scan reported no injection signals. The code makes direct calls only to https://api.cloudflare.com/client/v4, which is expected. The SKILL.md includes a pragma comment to allowlist the apiToken secret — expected for a plugin that requires an API key.
What to consider before installing
This plugin appears to do what it says (manage Cloudflare zones, DNS, and cache), but the package actually requires a Cloudflare API token even though the registry metadata didn't list credentials. Before installing: 1) only provide a Cloudflare token scoped to the minimum needed permissions (use per-action scopes: Zone:Read, DNS:Read/DNS:Edit, Cache Purge:Purge); 2) confirm where the plugin config (and token) will be stored and who can read it; 3) review the included source (store.ts/index.ts) yourself or only install from a trusted maintainer; 4) when using destructive actions (delete DNS, full cache purge), prefer specifying explicit zoneId and avoid using a broad token with account-wide edit rights. These metadata inconsistencies reduce confidence — resolve them with the publisher (why registry says no required config) before trusting the plugin in production.
Verification
{
  "hasProvenance": false,
  "scanStatus": "pending",
  "scope": "artifact-only",
  "sourceCommit": "5116351b4408558ab43188d53d84d32453cc092c",
  "sourceRepo": "clawic/plugins",
  "sourceTag": "main",
  "summary": "Validated package structure and linked the release to source metadata.",
  "tier": "source-linked"
}
Tags
{
  "latest": "0.1.0"
}

Cloudflare Plugin

Native OpenClaw plugin that adds Cloudflare API workflows with:

  • zone discovery by account, name, and status
  • DNS record listing, creation, update, and deletion
  • cache purge by full zone or explicit file URLs

Install

npm install
npm run build
openclaw plugins install .
openclaw plugins enable cloudflare
openclaw gateway restart

Config

{
  plugins: {
    entries: {
      cloudflare: {
        enabled: true,
        config: {
          apiToken: "YOUR_CLOUDFLARE_API_TOKEN", // pragma: allowlist secret
          defaultZoneId: "your-zone-id",
          defaultAccountId: "your-account-id",
        },
      },
    },
  },
}

Recommended token scopes:

  • Zone:Read for cloudflare_list_zones
  • DNS:Read and DNS:Edit for DNS record tools
  • Cache Purge:Purge for cloudflare_purge_cache

Tools

  • cloudflare_list_zones
  • cloudflare_list_dns_records
  • cloudflare_upsert_dns_record
  • cloudflare_delete_dns_record
  • cloudflare_purge_cache