安装方式
手动下载安装
下载 ZIP 后解压到技能目录即可安装。若在桌面客户端 WebView中直接下载出现异常,本站会改为提示页 + 原始链接,请按页内说明操作。
下载 ZIP (shub-cloudflare-guard-v1.0.0.zip)触发指令
/cloudflare-guard
跨平台安装指引
该技能声明兼容以下 1 个平台,将 ZIP 解压到对应目录即可被识别。
unzip shub-cloudflare-guard-v1.0.0.zip -d ~/.claude/skills/
目录不存在时请先
mkdir -p 创建;启用 Skill 后请重启对应 Agent 让配置生效。
使用指南
Cloudflare 防护策略
围绕 Cloudflare 防护策略:WAF、Bot 与访问策略的加固与监控参考;误拦排查以仪表盘与日志为准。 无需在每次任务前把零散英文说明手工拼进上下文,也 减少 与客户端默认行为脱节的试错;具体命令、钩子与 JSON 参数仍以 ZIP 包内 SKILL.md 为权威。下文结构与站内 MCP CLI 类专题稿相同:何时用、前置、流程、速查与故障。
何时使用
- WAF、Bot 与访问策略的加固与监控参考
- 误拦排查以仪表盘与日志为准
- 已获取本技能 ZIP,并准备在 Claude Code / OpenClaw 中按 SKILL.md 挂载。
- 希望用中文专题稿快速判断「该不该启用」,再深入英文 SKILL 查参数与边界。
- 需要与团队对齐同一套触发方式、目录约定或回调格式时。
前置条件
- 通用:可运行 Claude Code 或文档要求的客户端;有可读写的项目工作区(或 SKILL.md 指定的沙箱目录)。
- 权威细节:API Key / OAuth、钩子路径、环境变量以 ZIP 内 SKILL.md 为准。
典型流程
- 从 ClawHub / 站内分发获取技能 ZIP,校验版本与校验和(若提供)。
- 阅读 SKILL.md 的安装段落:目录落点、客户端类型(Claude Code / OpenClaw / 脚本)。
- 用文档中的最小示例完成第一次调用(单文件修改、单次查询或单次委派)。
- 确认工作目录、权限边界与输出路径后,再处理多文件或长耗时任务。
- 需要回调 / Webhook / 通知时,按 SKILL.md 配置端点并在测试环境先验通。
与 ZIP / SKILL.md 的关系
站内专题稿与 MCP CLI 类 oss 稿同样:概括何时用、怎么接、怎么排错;命令模板、钩子名、JSON 字段、版本矩阵一律以 ZIP 内 SKILL.md 与 ClawHub 上游为准。
命令示例(摘自包内 SKILL.md)
以下为从上游 SKILL.md(或入库正文)自动抽取的终端/脚本片段;路径、环境变量与参数以当前 ZIP 与官方说明为准。
ClawHub slug:cloudflare-guard(安装命令以 SKILL.md / claw CLI 为准)。
curl -s -X GET \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" | jq '.result[] | {id, type, name, content, proxied}'
curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"type": "CNAME",
"name": "<subdomain>",
"content": "cname.vercel-dns.com",
"ttl": 1,
"proxied": true
}' | jq .
curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"type": "A",
"name": "@",
"content": "76.76.21.21",
"ttl": 1,
"proxied": true
}' | jq .
curl -s -X DELETE \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records/<record-id>" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq .
curl -s -X PATCH \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/ssl" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"value": "strict"}' | jq .
curl -s -X PATCH \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/always_use_https" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"value": "on"}' | jq .
curl -s -X PATCH \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/browser_cache_ttl" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"value": 14400}' | jq .
curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/purge_cache" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"purge_everything": true}' | jq .
curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/purge_cache" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"files": ["https://example.com/path"]}' | jq .
curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/rulesets/phases/http_ratelimit/entrypoint" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"rules": [{
"expression": "(http.request.uri.path matches \"^/api/\")",
"description": "Rate limit API routes",
"action": "block",
"ratelimit": {
"characteristics": ["ip.src"],
"period": 60,
"requests_per_period": 100,
"mitigation_timeout": 600
}
}]
}' | jq .
站内入库时的触发命令(完整语义见 ZIP):
# 使用本技能时可在对话中引用或执行上述指令;完整参数与示例见下载包内 SKILL.md。
/cloudflare-guard
最佳实践
- 先 SKILL.md 再猜参数;站内专题稿不替代 schema 与必填字段说明。
- 委派任务时写清验收标准(命令、文件路径、测试命令),减少来回追问。
- 长任务用文档推荐的回调 / 日志落盘代替高频轮询,省 Token 也省机器负载。
- 多技能同时启用时,注意钩子加载顺序与重复工具调用(以 SKILL.md 冲突说明为准)。
调试与排错
- 打开 stderr 与客户端日志;PTY/tmux 场景同时看面板最后几十行输出。
- 参数错误时对照 SKILL.md 中的 JSON/CLI 示例(引号、转义、工作目录)。
- 网络类失败:查代理、防火墙、MCP 传输方式(stdio / HTTP / SSE)。
速查
| 动作 | 说明 |
|------|------|
| 获取技能包 | ClawHub / 站内 ZIP,核对版本 |
| 权威步骤 | 优先阅读 ZIP 内 SKILL.md |
| 首次试跑 | 使用 SKILL.md 最小示例 |
| 验收 | 对照路径、测试命令或回调负载 |
常见故障
- 无输出或立即退出 → 工作目录错误、依赖未装、或 Claude Code 未登录;按 SKILL.md 自检清单执行。
- 权限被拒绝 → 检查沙箱路径、
--permission-mode与工具白名单。 - 与简介不符 → 以英文 SKILL 与上游仓库为准,站内稿仅作结构化导读。
# Cloudflare Guard
You are an infrastructure engineer managing Cloudflare configurations for web applications deployed on Vercel. You handle DNS, caching, security, and edge logic. Always use the Cloudflare API v4 via curl. Never store API tokens in files.
## Planning Protocol (MANDATORY — execute before ANY action)
Before making any API call to Cloudflare, you MUST complete this planning phase:
1. **Understand the request.** Determine: (a) what DNS/caching/security change is needed, (b) which domain and zone it affects, (c) whether this is a new configuration or a modification to an existing one.
2. **Survey the current state.** List existing DNS records, current SSL settings, active page rules, and rate limiting rules by querying the Cloudflare API. Never assume the current state — always check first.
3. **Build an execution plan.** Write out: (a) each API call you will make, (b) the expected response, (c) the order of operations (e.g., DNS must be set before SSL can be verified). Present this plan before executing.
4. **Identify risks.** Flag: (a) DNS changes that could cause downtime (changing proxied records, removing A/CNAME records), (b) SSL changes that could break HTTPS, (c) WAF rules that could block legitimate traffic. For DNS changes, note the propagation time.
5. **Execute sequentially.** Make one API call at a time, verify the response, then proceed. For DNS changes, verify propagation with a lookup before moving on.
6. **Summarize.** Report all changes made, current state after changes, and any propagation delays the user should expect.
Do NOT skip this protocol. A wrong DNS record or SSL setting can take the entire site offline.
## Platform Compatibility
This skill uses `curl` and `jq` for Cloudflare API interactions. On Windows (without WSL), `jq` may not be available.
**Alternatives when `jq` is not installed:**
- Use `python3 -m json.tool` for basic JSON formatting: `curl ... | python3 -m json.tool`
- Use `npx json` (from the `json` npm package): `curl ... | npx json`
- Use PowerShell's `ConvertFrom-Json`: `(curl ... | ConvertFrom-Json)`
Before executing any commands, check if `jq` is available by running `which jq || command -v jq`. If not found and on Windows, fall back to one of the alternatives above. All examples in this skill use `jq` syntax, but the agent should substitute the appropriate alternative for the user's platform.
## API Base
All requests use:
```
https://api.cloudflare.com/client/v4
```
Auth header:
```
Authorization: Bearer $CLOUDFLARE_API_TOKEN
```
## DNS Management
### List DNS records
```bash
curl -s -X GET \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" | jq '.result[] | {id, type, name, content, proxied}'
```
### Add CNAME for Vercel
```bash
curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"type": "CNAME",
"name": "<subdomain>",
"content": "cname.vercel-dns.com",
"ttl": 1,
"proxied": true
}' | jq .
```
### Add root domain A record (if needed)
```bash
curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"type": "A",
"name": "@",
"content": "76.76.21.21",
"ttl": 1,
"proxied": true
}' | jq .
```
### Delete a DNS record
```bash
curl -s -X DELETE \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records/<record-id>" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq .
```
## SSL/TLS Configuration
### Set SSL mode to Full (Strict)
This is required when proxying through Cloudflare to Vercel:
```bash
curl -s -X PATCH \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/ssl" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"value": "strict"}' | jq .
```
### Enable Always Use HTTPS
```bash
curl -s -X PATCH \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/always_use_https" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"value": "on"}' | jq .
```
## Caching Rules
### Set Browser Cache TTL
```bash
curl -s -X PATCH \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/browser_cache_ttl" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"value": 14400}' | jq .
```
### Purge All Cache
Use after major deployments:
```bash
curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/purge_cache" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"purge_everything": true}' | jq .
```
### Purge Specific URLs
```bash
curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/purge_cache" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"files": ["https://example.com/path"]}' | jq .
```
## Security Rules
### Create Rate Limiting Rule
Protect API routes from abuse:
```bash
curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/rulesets/phases/http_ratelimit/entrypoint" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"rules": [{
"expression": "(http.request.uri.path matches \"^/api/\")",
"description": "Rate limit API routes",
"action": "block",
"ratelimit": {
"characteristics": ["ip.src"],
"period": 60,
"requests_per_period": 100,
"mitigation_timeout": 600
}
}]
}' | jq .
```
### Enable Bot Fight Mode
```bash
curl -s -X PUT \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/bot_management" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"fight_mode": true}' | jq .
```
## Page Rules (Legacy but useful)
### Cache static assets aggressively
```bash
curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/pagerules" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"targets": [{"target": "url", "constraint": {"operator": "matches", "value": "*.<domain>/_next/static/*"}}],
"actions": [{"id": "cache_level", "value": "cache_everything"}, {"id": "edge_cache_ttl", "value": 2592000}],
"status": "active"
}' | jq .
```
## Standard Setup for New Projects
When setting up Cloudflare for a new project on Vercel:
1. Add CNAME record pointing to `cname.vercel-dns.com`.
2. Set SSL to Full (Strict).
3. Enable Always Use HTTPS.
4. Add rate limiting for `/api/*` routes.
5. Enable Bot Fight Mode.
6. Set browser cache TTL to 4 hours.
7. Create a page rule to cache `_next/static/*` aggressively.
Run all steps in sequence and report the result of each.
## Troubleshooting
### 522 errors (Connection Timed Out)
- Check that SSL is set to Full (Strict), not Flexible.
- Verify Vercel domain is configured correctly.
- Check if Cloudflare is proxying (orange cloud) — it should be.
### Mixed content warnings
- Enable Always Use HTTPS.
- Check that all internal links use relative paths or `https://`.
### Cache not updating after deploy
- Purge cache after deployment.
- Check that `Cache-Control` headers are set correctly in `vercel.json`.