Skip to content
ai-supply.store
DiscoverCategoriesLeaderboardsCommunityAgent APIFAQ
Sign inSign up free
catalog / DevOps & Infra / Cloudflare MCP Servers
◇MCP serverDevOps & InfraFree

Cloudflare MCP Servers

Official MCP servers to operate Cloudflare services (Workers, DNS, observability, security) via natural language.

@ai-supply
Installs37k
↗ Source repository
← More DevOps & InfraDevOps & Infra leaderboard →How we grade security →Source ↗

Cloudflare MCP Servers

A collection of official Model Context Protocol servers from Cloudflare that let an MCP client (Claude, Cursor, and others) connect to your Cloudflare account and operate its services through natural language. The repo bundles more than a dozen focused servers.

Individual servers cover documentation lookup, Workers bindings (storage, AI, compute), Workers builds, observability and logs, sandbox containers, browser rendering (fetch pages, convert to markdown, screenshots), AI Gateway, audit logs, and DNS analytics. They support both streamable-http and the deprecated SSE transport.

It is aimed at developers and platform teams who want their AI assistant to read configuration, analyze data, and apply changes across Cloudflare's application, security, and performance services.

Rating rank
#1
of 23 in DevOps & Infra
Install rank
#20
of 23 in DevOps & Infra
Security score
58/100 · D
review
Security rank
#4
of 23 in DevOps & Infra
Installs
37k
cat avg 212k
This listing vs category average
Installs
this
cat avg
Security (of 100)
this
cat avg
Adoption trend
See the DevOps & Infra leaderboard →
! Security: Review · 5858/100 · grade Dscanned 2h ago

Only compromise signals — malicious or tampered code (leaked secrets, backdoors, path traversal, a dropped executable) — reduce the score. Dangerous-by-capability traits (shell, network, injection strings, pickle) are shown as risk surface: expected for some capabilities — a security tool ships offensive code on purpose — so they do not sink the grade.

Compromise signals
Embedded credentialshighcloudflare-mcp-server-cloudflare-52c633e/apps/ai-gateway/vitest.config.ts
found: hardcoded credential
What this capability can do · med confidence (static)
⚑ filesystem⚑ networkinstall: postinstall
egress → www.apache.org, developer.mozilla.org, developers.cloudflare.com, dpgr.am, pptr.dev, www.iana.org, en.wikipedia.org, tldp.org +7
Risk surface (23)
External endpoints declaredlowexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/.changeset/README.md
1 distinct host(s)
Path traversal sequencesmediumexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/.prettierrc.cjs
'../' present in content or name
External endpoints declaredlowexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/CONTRIBUTING.md
3 distinct host(s)
External endpoints declaredmediumexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/README.md
19 distinct host(s)
External endpoints declaredlowexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/apps/ai-gateway/CONTRIBUTING.md
2 distinct host(s)
External endpoints declaredlowexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/apps/ai-gateway/README.md
5 distinct host(s)
Suspicious code patternsmediumexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/apps/ai-gateway/worker-configuration.d.ts
dynamic code execution
Broad capability surfacelowcloudflare-mcp-server-cloudflare-52c633e/apps/ai-gateway/worker-configuration.d.ts
5 high-impact capability categories referenced — verify least-privilege
External endpoints declaredmediumexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/apps/ai-gateway/worker-configuration.d.ts
17 distinct host(s)
External endpoints declaredlowexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/apps/autorag/CONTRIBUTING.md
4 distinct host(s)
External endpoints declaredlowexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/apps/autorag/README.md
8 distinct host(s)
External endpoints declaredlowexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/apps/browser-rendering/README.md
7 distinct host(s)
External endpoints declaredlowexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/apps/demo-day/frontend/index.html
6 distinct host(s)
Broad capability surfacelowcloudflare-mcp-server-cloudflare-52c633e/apps/demo-day/frontend/script.js
3 high-impact capability categories referenced — verify least-privilege
Internal host / private infrastructure referencemediumexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/apps/demo-day/src/demo-day.app.ts
shipped content references a private IP range or internal-only host
Suspicious network referenceslowexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/apps/dex-analysis/src/warp_diag_reader.ts
suspicious TLD (1 URLs)
External endpoints declaredmediumexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/apps/docs-ai-search/worker-configuration.d.ts
18 distinct host(s)
External endpoints declaredlowexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/apps/radar/README.md
10 distinct host(s)
Suspicious code patternshighexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/apps/sandbox-container/Dockerfile
destructive rm -rf /
Suspicious code patternsmediumexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/apps/sandbox-container/container/sandbox.container.app.ts
child_process exec; dynamic code execution
npm install-lifecycle scripthighcloudflare-mcp-server-cloudflare-52c633e/apps/sandbox-container/package.json
postinstall run on install — executes arbitrary code
External endpoints declaredmediumexpected for this capabilitycloudflare-mcp-server-cloudflare-52c633e/server.json
15 distinct host(s)
Vulnerable dependenciescritical
139 known vulnerabilities in: @cloudflare/vite-plugin@1.1.0, @hono/node-server@1.13.8, ajv@6.12.6, axios@1.8.4, brace-expansion@1.1.11, brace-expansion@2.0.1, cross-spawn@7.0.3, defu@6.1.4
✔ verified source · pinned cloudflare-mcp-server-cloudflare-52c633e
Check against a policy

The same gate an agent runs before installing (POST /api/v1/trust/cloudflare-mcp-server/check). Click a policy:

OWASP AI control mapping
7passed
7flagged
1runtime-enforced
5governance

Evaluated against the OWASP Top 10 for LLM Applications (2025) and the OWASP Machine Learning Security Top 10. Expand any control to see the findings.

OWASP Top 10 for LLM Applications
✓LLM01Prompt InjectionPassed
⚠LLM02Sensitive Information Disclosurehigh
Secrets, credentials or PII shipped inside the artifact.
•Embedded credentials — found: hardcoded credential (CWE-798)
⚠LLM03Supply Chaincritical
Vulnerable/compromised dependencies, models or archives in the artifact.
•Dependency manifest — 15 npm dependencies declared
•Dependency manifest — 11 npm dependencies declared
•Dependency manifest — 17 npm dependencies declared
•Dependency manifest — 16 npm dependencies declared
•Dependency manifest — 25 npm dependencies declared
•npm install-lifecycle script — postinstall run on install — executes arbitrary code (CWE-506)
•Dependency manifest — 19 npm dependencies declared
•Dependency manifest — 12 npm dependencies declared
•Dependency manifest — 13 npm dependencies declared
•Dependency manifest — 9 npm dependencies declared
•Dependency manifest — 20 npm dependencies declared
•Dependency manifest — 5 npm dependencies declared
•Dependency manifest — 10 npm dependencies declared
•Dependency manifest — 1 npm dependencies declared
•Vulnerable dependencies — 139 known vulnerabilities in: @cloudflare/vite-plugin@1.1.0, @hono/node-server@1.13.8, ajv@6.12.6, axios@1.8.4, brace-expansion@1.1.11, brace-expansion@2.0.1, cross-spawn@7.0.3, defu@6.1.4 (CWE-1395)
✓LLM04Data and Model PoisoningPassed
Backdoors/poisoning in training data or serialized models.
Behavioral poisoning needs model execution; static check covers unsafe serialization + dataset skew only.
⚠LLM05Improper Output Handlinghigh
Code that pipes model/user output into shell, eval, SQL or paths unsafely.
•Path traversal sequences — '../' present in content or name (CWE-22)
•Suspicious code patterns — dynamic code execution (CWE-95)
•Suspicious code patterns — destructive rm -rf / (CWE-78)
•Suspicious code patterns — child_process exec; dynamic code execution (CWE-78)
⚠LLM06Excessive Agencymedium
Over-broad tool/permission surface or unrestricted egress.
•External endpoints declared — 1 distinct host(s)
•External endpoints declared — 3 distinct host(s)
•External endpoints declared — 19 distinct host(s)
•External endpoints declared — 2 distinct host(s)
•External endpoints declared — 5 distinct host(s)
•Broad capability surface — 5 high-impact capability categories referenced — verify least-privilege (CWE-272)
•External endpoints declared — 17 distinct host(s)
•External endpoints declared — 4 distinct host(s)
•External endpoints declared — 8 distinct host(s)
•External endpoints declared — 7 distinct host(s)
•External endpoints declared — 6 distinct host(s)
•Broad capability surface — 3 high-impact capability categories referenced — verify least-privilege (CWE-272)
•External endpoints declared — 18 distinct host(s)
•External endpoints declared — 10 distinct host(s)
•External endpoints declared — 15 distinct host(s)
⚠LLM07System Prompt Leakagehigh
Secrets, internal hosts or proprietary logic exposed in shipped prompts.
•Embedded credentials — found: hardcoded credential (CWE-798)
•Internal host / private infrastructure reference — shipped content references a private IP range or internal-only host (CWE-200)
✓LLM08Vector and Embedding WeaknessesPassed
PII or plaintext source leakage in embedding/vector exports.
Embedding inversion/poisoning is largely runtime; static check covers PII in vector exports.
§LLM09MisinformationGovernance
Artifacts designed to produce false/deceptive output.
Detectable only by runtime behavioral evaluation; addressed via responsible-use attestation.
◷LLM10Unbounded ConsumptionRuntime-enforced
Unbounded loops/recursion causing DoS or runaway cost.
Enforced at runtime by the gateway (rate limits + spend caps + size caps); static check flags unbounded loops.
OWASP Machine Learning Security Top 10
§ML01Input Manipulation (Adversarial)Governance
Models vulnerable to adversarial perturbations.
Requires runtime robustness evaluation; addressed via publisher robustness attestation.
✓ML02Data PoisoningPassed
Poisoned training datasets with triggers or anomalous distributions.
Static check covers trigger phrasing, PII and label skew; full poisoning detection is runtime.
§ML03Model InversionGovernance
Training data reconstructable from a model's outputs.
Runtime/evaluation property; addressed via model-card data-provenance + DP attestation.
§ML04Membership InferenceGovernance
Determining whether a record was in the training set.
Runtime/evaluation property; addressed via overfitting disclosure + DP attestation.
✓ML05Model TheftPassed
Unlicensed re-distribution / license-incompatible derivatives.
Static check verifies license declaration; extraction throttling is runtime.
⚠ML06AI Supply Chaincritical
Compromised PyPI/npm packages, typosquats, unsafe serialized models.
•Dependency manifest — 15 npm dependencies declared
•Dependency manifest — 11 npm dependencies declared
•Dependency manifest — 17 npm dependencies declared
•Dependency manifest — 16 npm dependencies declared
•Dependency manifest — 25 npm dependencies declared
•npm install-lifecycle script — postinstall run on install — executes arbitrary code (CWE-506)
•Dependency manifest — 19 npm dependencies declared
•Dependency manifest — 12 npm dependencies declared
•Dependency manifest — 13 npm dependencies declared
•Dependency manifest — 9 npm dependencies declared
•Dependency manifest — 20 npm dependencies declared
•Dependency manifest — 5 npm dependencies declared
•Dependency manifest — 10 npm dependencies declared
•Dependency manifest — 1 npm dependencies declared
•Vulnerable dependencies — 139 known vulnerabilities in: @cloudflare/vite-plugin@1.1.0, @hono/node-server@1.13.8, ajv@6.12.6, axios@1.8.4, brace-expansion@1.1.11, brace-expansion@2.0.1, cross-spawn@7.0.3, defu@6.1.4 (CWE-1395)
✓ML07Transfer Learning AttackPassed
Backdoored base models / LoRA adapters propagating to derivatives.
Backdoor detection needs behavioral probing; static check covers unsafe serialization + provenance.
§ML08Model SkewingGovernance
Models trained on skewed data producing biased output.
Requires fairness evaluation; addressed via model-card bias/limitations disclosure.
⚠ML09Output Integrityhigh
Middleware tampering with model outputs in transit.
Gateway enforces TLS + response integrity; static check flags output-rewriting code.
•Path traversal sequences — '../' present in content or name (CWE-22)
•Suspicious code patterns — dynamic code execution (CWE-95)
•Suspicious code patterns — destructive rm -rf / (CWE-78)
•Suspicious code patterns — child_process exec; dynamic code execution (CWE-78)
✓ML10Model Poisoning (Weights)Passed
Tampered model weight files; integrity must be verifiable.
Static check enforces safe formats + records a content hash for downstream verification.

Consume Cloudflare MCP Servers programmatically. Authenticate with an API key or session — see Authorize an agent.

# Agents: CHECK BEFORE YOU INSTALL (no auth) — score, grade, level, capability manifest
curl https://ai-supply.store/api/v1/trust/cloudflare-mcp-server

# Gate against your org policy (returns { pass, violations })
curl -X POST https://ai-supply.store/api/v1/trust/cloudflare-mcp-server/check \
  -H "Content-Type: application/json" \
  -d '{"minGrade":"B","denyPermissions":["shell"],"denyUnknownEgress":true}'

# CLI
npx ai-supply add cloudflare-mcp-server

# REST (install → download)
curl -X POST https://ai-supply.store/api/v1/listings/cloudflare-mcp-server/install \
  -H "Authorization: Bearer $AIM_KEY"

# MCP tool
install_listing({ "slug": "cloudflare-mcp-server" })
OpenAPI spec →
vlatest
! Security: Review · 582h ago

Curated mirror — latest upstream source. See the repository for tagged releases.

Sign in and install this listing to leave a review.

More from @ai-supply

View profile →
◉Agent
MetaGPT
Multi-agent framework that assigns GPT roles (PM, engineer, QA) to solve complex software tasks end-to-end.
↓ 1.0M
⇄Connector
vLLM
High-throughput, memory-efficient LLM inference engine with PagedAttention and continuous batching.
↓ 892k
⇄Connector
Meilisearch
Lightning-fast open-source search engine with typo-tolerance, semantic hybrid search, and sub-50ms response times.
↓ 811k
△Eval
Weights & Biases (wandb)
ML experiment tracking and visualization — log metrics, hyperparameters, models, and media in real time.
↓ 784k
ai-supply.store

Free, security-vetted AI capabilities — skills, MCPs, plugins, agents, datasets and more, each graded and freshness-tracked, and built for humans and agents alike.

api · v3.1status · all green
Contact
support@ai-supply.storesecurity@ai-supply.store
Catalog
  • Discover
  • Categories
  • Leaderboards
  • Benchmarks
  • Security
Community
  • Community
  • FAQ
For agents
  • Quickstart (60s)
  • Authorize an agent
  • Agent API
  • OpenAPI spec
For builders
  • Publish
  • Dashboard
Account
  • Create account
  • Sign in
  • Settings
Legal
  • Terms
  • Publisher Agreement
  • Acceptable Use
  • Privacy