Cloudflare MCP Skill

File-based Pipeline (Pass Paths Only)

runs/<workflow>/active/<run_id>/

• Input:

  01-input/goal.md

  (symptoms/objectives),

  01-input/context.json

  (account/worker/resource/time_range, etc.)
• Evidence:

  02-analysis/observability.md

  ,

  02-analysis/audit.md

  ,

  02-analysis/screenshots/

• Plan:

  03-plans/change-plan.md

  (write operation plan; must write here and await confirmation first)
• Output:

  05-final/report.md

  (conclusion + evidence chain + tool call summary + next steps)
• Logs:

  logs/events.jsonl

  (summary of each tool call)

Permission Tiers (Core Principles)

Tool Reference

Diagnose Tier (Read-only)

query_worker_observability

observability_keys

observability_values

workers_builds_list_builds

workers_builds_get_build

workers_builds_get_build_logs

get_url_html_content

get_url_markdown

get_url_screenshot

auditlogs_by_account_id

Change Tier (Write Operations)

accounts_list

set_active_account

workers_builds_set_active_worker

kv_namespaces_list

kv_namespace_get

kv_namespace_create

kv_namespace_update

kv_namespace_delete

r2_buckets_list

r2_bucket_get

r2_bucket_create

r2_bucket_delete

d1_databases_list

d1_database_get

d1_database_query

d1_database_create

d1_database_delete

hyperdrive_configs_list

hyperdrive_config_get

hyperdrive_config_create

hyperdrive_config_edit

hyperdrive_config_delete

workers_list

workers_get_worker

workers_get_worker_code

Super Admin Tier (Container Sandbox)

container_initialize

container_exec

container_file_write

container_file_read

container_files_list

container_file_delete

Security Rules (Must Follow)

Read Operations

1. Define scope first: account / worker / resource ID
2. No account? Run

   accounts_list

   first
3. Conclusions must have evidence chain: logs/screenshots/audit records

Write Operations (Three-step Flow)

1. Plan: Read current state first (list/get)
2. Confirm: Output precise change (name/ID/impact scope), await user confirmation
3. Execute: create/delete/update
4. Verify: audit logs + observability confirm no new errors

Prohibited Actions

• ❌ Execute create/delete/update without confirmation
• ❌ Delete production resources (unless user explicitly says "delete production xxx")
• ❌ Use Super Admin privileges in non-isolated environments
• ❌ Use container sandbox as persistent environment

Operation Workflows

Troubleshooting Flow (Typical)

1. Clarify symptoms → worker name/time range/error type
2. query_worker_observability to pull logs/metrics
3. If build-related → workers_builds_get_build_logs
4. If page-related → get_url_screenshot to reproduce
5. Trace changes → auditlogs_by_account_id
6. Summarize: root cause + evidence + fix recommendations

Resource Management Flow

1. accounts_list → set_active_account
2. List resources (kv_namespaces_list / r2_buckets_list / d1_databases_list)
3. Plan changes → present to user
4. Execute after confirmation
5. Verify: audit logs + observability shows no errors

Output Format

• Language: English
• Structure: Conclusion → Key data/evidence → Tool call summary → Next steps
• Write operations: Must clearly list operations to be executed and impact scope

✅ Investigation complete: worker `api-gateway` experienced 5xx spike between 18:00-18:30

Root cause: New code deployed threw TypeError when processing /v2/users
Evidence:
- Logs: 18:02 first occurrence of "Cannot read property 'id' of undefined"
- Audit: 18:00 user dev@example.com deployed new version
- Metrics: error_rate jumped from 0.1% to 12%

Recommendation: Roll back to previous version, or fix /v2/users handler

Error Handling

accounts_list

set_active_account

Scenario Examples