Proactively audit Cloudflare configurations for security vulnerabilities, resilience gaps, cost traps, AND budget/privacy risks. Use this skill when reviewing wrangler configs, before deployments, investigating issues, or when ANY architecture decision involves Durable Objects, R2, Workers AI, or high-volume operations. This skill PROACTIVELY warns about cost impacts before users ask.
/plugin marketplace add littlebearapps/cloudflare-engineer/plugin install cloudflare-engineer@littlebearapps-cloudflareThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Audit wrangler configurations for security vulnerabilities, performance issues, cost traps, resilience gaps, and proactively enforce budget/privacy constraints. Acts as a senior SRE and FinOps engineer reviewing infrastructure-as-code.
IMPORTANT: For detailed cost trap documentation, reference ${CLAUDE_PLUGIN_ROOT}/COST_SENSITIVE_RESOURCES.md.
When issuing cost warnings, use provenance tags:
[STATIC:COST_WATCHLIST] - Pattern detected via code analysis[LIVE-VALIDATED:COST_WATCHLIST] - Confirmed by observability data[REFUTED:COST_WATCHLIST] - Pattern exists but not hitting thresholdsCRITICAL: When Claude suggests ANY code change involving the following, the guardian skill MUST trigger proactive checks:
If suggesting code that includes .run(), .first(), or database writes:
.batch() - If missing, warn about per-row insert costsCREATE INDEX - If querying unindexed columns, warn about scan costsTRAP-D1-001 or TRAP-D1-002 from COST_SENSITIVE_RESOURCES.mdBudget Whisperer Check:
- Detected: D1 write operation in proposed code
- Searched for: db.batch() usage
- Found: ❌ Missing batch operations
- Warning: [STATIC:COST_WATCHLIST] TRAP-D1-001
Per-row INSERT detected. At 10K rows, this costs $0.01 vs $0.00001 batched.
Recommendation: Wrap in db.batch() with max 1000 statements per batch.
If suggesting code that includes .put():
.put() inside a loop or frequently called handler?TRAP-R2-001 from COST_SENSITIVE_RESOURCES.mdIf suggesting DO architecture:
TRAP-DO-001 from COST_SENSITIVE_RESOURCES.mdIMPORTANT: This skill should proactively warn users about cost and privacy impacts BEFORE they deploy or even ask about costs. When reviewing ANY architecture that includes the following, immediately surface budget/privacy alerts:
| Service/Pattern | Threshold | Proactive Warning |
|---|---|---|
| Durable Objects | Any usage | "DO charges ~$0.15/GB-month storage + $0.50/M requests. Consider KV for simple key-value." |
| R2 Class A ops | >1M/month | "R2 writes cost $4.50/M. Buffer writes or use presigned URLs for client uploads." |
| D1 Writes | >10M/month | "D1 writes cost $1/M. Detected pattern suggests >$10/mo. Batch to ≤1,000 rows." |
| Workers AI (>8B) | Any usage | "Large models (Llama 11B+) cost $0.68/M tokens. Use 8B or smaller for bulk." |
| Vectorize | >1M vectors | "Approaching 5M vector limit. Plan sharding strategy." |
| KV Writes | >5M/month | "KV writes cost $5/M (10× reads). Consider D1 or R2 for write-heavy." |
| Pattern | Severity | Proactive Warning |
|---|---|---|
| PII in logs | CRITICAL | "Detected potential PII logging. Use structured logging with redaction." |
| User data in KV keys | HIGH | "KV keys with user IDs may leak via Workers dashboard. Hash or encrypt." |
| AI prompts with PII | HIGH | "AI Gateway logs may contain user data. Enable prompt redaction." |
| R2 public buckets | HIGH | "R2 bucket appears public. Verify intentional or add authentication." |
| Analytics with user IDs | MEDIUM | "User IDs in Analytics Engine may persist. Use anonymized identifiers." |
| ID | Name | Severity | Check |
|---|---|---|---|
| SEC001 | Secrets in plaintext | CRITICAL | vars.* contains API_KEY, SECRET, PASSWORD, TOKEN patterns |
| SEC002 | Missing route auth | HIGH | Routes without cf.access or auth middleware |
| SEC003 | CORS wildcard | MEDIUM | cors.origins includes * |
| SEC004 | Exposed admin routes | HIGH | /admin/* routes without auth |
| SEC005 | Missing rate limiting | MEDIUM | No rate limit bindings for public APIs |
| SEC006 | Debug mode enabled | LOW | ENVIRONMENT or DEBUG set to development/true |
| ID | Name | Severity | Check |
|---|---|---|---|
| PERF001 | Missing Smart Placement | LOW | placement.mode not set |
| PERF002 | D1 without indexes | MEDIUM | D1 bindings but no CREATE INDEX in migrations |
| PERF003 | Large bundled dependencies | MEDIUM | Bundle >10MB (check main entry) |
| PERF004 | Missing observability | LOW | No observability config block |
| PERF005 | Frequent cron | LOW | Cron more often than every 5 minutes |
| ID | Name | Severity | Check |
|---|---|---|---|
| COST001 | Queue retries high | MEDIUM | max_retries > 1 for potentially idempotent consumers |
| COST002 | No cron batching | LOW | Multiple crons that could be combined |
| COST003 | AI without caching | MEDIUM | AI bindings but no AI Gateway |
| COST004 | Large model usage | LOW | Workers AI with >8B parameter models |
| COST005 | Missing Analytics Engine | INFO | Using D1/KV for metrics instead of free AE |
| ID | Name | Severity | Check |
|---|---|---|---|
| RES001 | Missing DLQ | HIGH | Queues without dead_letter_queue binding |
| RES002 | No concurrency limit | MEDIUM | max_concurrency not set for queue consumers |
| RES003 | Single region | LOW | No cf.smart_placement for latency-sensitive |
| RES004 | Missing retry config | MEDIUM | Queue consumer without explicit retry config |
| RES005 | No circuit breaker | LOW | External API calls without timeout/fallback |
| ID | Name | Severity | Check |
|---|---|---|---|
| BUDGET001 | Durable Objects usage | INFO | Any DO binding - proactively explain cost model |
| BUDGET002 | R2 write-heavy pattern | MEDIUM | Frequent R2 Class A ops without buffering |
| BUDGET003 | D1 per-row inserts | HIGH | Loop-based INSERTs instead of batch |
| BUDGET004 | Large AI model | MEDIUM | Workers AI with >8B parameter model |
| BUDGET005 | KV write-heavy | MEDIUM | >5M KV writes/month pattern |
| BUDGET006 | Vectorize scaling | INFO | >1M vectors - warn about 5M limit |
| ID | Name | Severity | Check |
|---|---|---|---|
| PRIV001 | PII in logs | CRITICAL | console.log with user data patterns |
| PRIV002 | User IDs in KV keys | HIGH | KV key patterns containing user/email/phone |
| PRIV003 | AI prompts PII | HIGH | AI bindings without redaction middleware |
| PRIV004 | R2 public access | HIGH | R2 bucket without authentication |
| PRIV005 | Analytics PII | MEDIUM | User identifiers in Analytics Engine writes |
Support both TOML and JSONC formats:
1. Read wrangler.toml or wrangler.jsonc
2. Parse into structured format
3. Extract: name, bindings, routes, triggers, vars
For each security rule:
1. Check if pattern exists in config
2. If violation found:
- Record rule ID, severity, location
- Generate specific recommendation
- Include docs URL if available
For each performance rule:
1. Check config for anti-patterns
2. Cross-reference with migrations (for D1 index checks)
3. Record findings with optimization recommendations
For each cost rule:
1. Identify cost-amplifying patterns
2. Estimate impact if possible
3. Provide specific fixes
For each resilience rule:
1. Check for missing failure handling
2. Identify single points of failure
3. Recommend redundancy patterns
For bindings that trigger budget warnings:
1. Detect Durable Objects → Explain cost model proactively
2. Detect R2 writes → Check for buffering patterns
3. Detect D1 writes → Check for batch vs per-row
4. Detect Workers AI → Check model size selection
5. Detect high-volume KV → Suggest alternatives
Key principle: Surface budget impacts BEFORE the user asks about costs.
For privacy-sensitive patterns:
1. Scan code for console.log with user data patterns
2. Check KV key naming for PII patterns
3. Verify AI prompts have redaction middleware
4. Check R2 bucket access controls
5. Review Analytics Engine write patterns
score = 100 - (critical × 25) - (high × 15) - (medium × 5) - (low × 2)
Grades:
# Cloudflare Configuration Audit
**Score**: XX/100 (Grade: X)
**File**: wrangler.jsonc
## Proactive Budget & Privacy Alerts
> **Budget Impact Detected**: [List any BUDGET* findings with cost estimates]
> **Privacy Concern**: [List any PRIV* findings requiring attention]
## Summary
| Category | Critical | High | Medium | Low | Info |
|----------|----------|------|--------|-----|------|
| Security | X | X | X | X | - |
| Performance | X | X | X | X | - |
| Cost | X | X | X | X | - |
| Resilience | X | X | X | X | - |
| Budget | - | X | X | - | X |
| Privacy | X | X | X | - | - |
## Critical Issues (Must Fix)
### SEC001: Secrets in plaintext
- **Location**: `vars.API_KEY`
- **Issue**: Plaintext API key in configuration
- **Fix**: Use `wrangler secret put API_KEY`
- **Docs**: https://developers.cloudflare.com/workers/configuration/secrets/
## High Priority Issues
### RES001: Missing dead letter queue
- **Location**: `queues[0]` (harvest-queue)
- **Issue**: No DLQ for failed message inspection
- **Fix**: Add `dead_letter_queue = "harvest-dlq"`
## Medium Priority Issues
[List all medium issues]
## Low Priority Issues
[List all low issues]
## Recommendations
1. [ ] Move secrets to wrangler secret
2. [ ] Add DLQ for all production queues
3. [ ] Enable Smart Placement
4. [ ] Consider Analytics Engine for metrics
When D1 bindings exist, also scan migration files:
-- Good: Has index
CREATE INDEX idx_projects_source ON projects(source);
-- Bad: Missing index for common query pattern
SELECT * FROM projects WHERE source = ? ORDER BY created_at DESC;
Flag missing indexes for:
{
// Smart Placement enabled
"placement": { "mode": "smart" },
// Observability configured
"observability": { "logs": { "enabled": true } },
// Queue with DLQ
"queues": {
"consumers": [{
"queue": "my-queue",
"dead_letter_queue": "my-dlq",
"max_retries": 1,
"max_concurrency": 10
}]
}
}
{
// Secrets in vars
"vars": { "API_KEY": "sk-xxxxx" },
// No DLQ
"queues": { "consumers": [{ "queue": "my-queue" }] },
// High retries
"queues": { "consumers": [{ "max_retries": 10 }] }
}
When MCP tools are available (via --validate mode in /cf-audit), enhance static findings with live data.
Reference @skills/probes/SKILL.md for detailed query patterns.
Tag findings based on data source:
[STATIC] - Inferred from code/config analysis only[LIVE-VALIDATED] - Confirmed by observability data[LIVE-REFUTED] - Code smell not observed in production[INCOMPLETE] - MCP tools unavailable for verificationWhen issues are found, recommend applicable patterns from @skills/patterns/:
| Finding | Recommended Pattern |
|---|---|
| Per-row D1 inserts | d1-batching |
| External API issues | circuit-breaker |
| Monolithic Worker | service-bindings |
--validate for production-ready verification--fix suggestions to auto-generate patches[LIVE-REFUTED] findings may still be worth fixing proactivelyThis skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.