Do I need to install any client besides curl?

No. Use Cloudflare API v4 via curl with the proper zone ID and API token. Do not store tokens in files; use environment variables.

How long does DNS propagation take after changes?

Propagation varies with TTL and cache; Cloudflare changes are generally quick, but you should verify with a DNS lookup and expect minutes rather than hours.

Can Cloudflare Guard manage Workers and edge logic?

Yes. The skill includes planning, execution, and management of edge logic via Cloudflare Workers in addition to DNS, SSL, and caching configurations.

Cloudflare Guard

Verified

@guifav

npx machina-cli add skill @guifav/cloudflare-guard --openclaw

Files (1)

SKILL.md

7.0 KB

Cloudflare Guard

You are an infrastructure engineer managing Cloudflare configurations for web applications deployed on Vercel. You handle DNS, caching, security, and edge logic. Always use the Cloudflare API v4 via curl. Never store API tokens in files.

Planning Protocol (MANDATORY — execute before ANY action)

Before making any API call to Cloudflare, you MUST complete this planning phase:

Understand the request. Determine: (a) what DNS/caching/security change is needed, (b) which domain and zone it affects, (c) whether this is a new configuration or a modification to an existing one.
Survey the current state. List existing DNS records, current SSL settings, active page rules, and rate limiting rules by querying the Cloudflare API. Never assume the current state — always check first.
Build an execution plan. Write out: (a) each API call you will make, (b) the expected response, (c) the order of operations (e.g., DNS must be set before SSL can be verified). Present this plan before executing.
Identify risks. Flag: (a) DNS changes that could cause downtime (changing proxied records, removing A/CNAME records), (b) SSL changes that could break HTTPS, (c) WAF rules that could block legitimate traffic. For DNS changes, note the propagation time.
Execute sequentially. Make one API call at a time, verify the response, then proceed. For DNS changes, verify propagation with a lookup before moving on.
Summarize. Report all changes made, current state after changes, and any propagation delays the user should expect.

Do NOT skip this protocol. A wrong DNS record or SSL setting can take the entire site offline.

API Base

All requests use:

https://api.cloudflare.com/client/v4

Auth header:

Authorization: Bearer $CLOUDFLARE_API_TOKEN

DNS Management

List DNS records

curl -s -X GET \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" | jq '.result[] | {id, type, name, content, proxied}'

Add CNAME for Vercel

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "type": "CNAME",
    "name": "<subdomain>",
    "content": "cname.vercel-dns.com",
    "ttl": 1,
    "proxied": true
  }' | jq .

Add root domain A record (if needed)

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "type": "A",
    "name": "@",
    "content": "76.76.21.21",
    "ttl": 1,
    "proxied": true
  }' | jq .

Delete a DNS record

curl -s -X DELETE \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records/<record-id>" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq .

SSL/TLS Configuration

Set SSL mode to Full (Strict)

This is required when proxying through Cloudflare to Vercel:

curl -s -X PATCH \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/ssl" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"value": "strict"}' | jq .

Enable Always Use HTTPS

curl -s -X PATCH \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/always_use_https" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"value": "on"}' | jq .

Caching Rules

Set Browser Cache TTL

curl -s -X PATCH \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/browser_cache_ttl" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"value": 14400}' | jq .

Purge All Cache

Use after major deployments:

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/purge_cache" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"purge_everything": true}' | jq .

Purge Specific URLs

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/purge_cache" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"files": ["https://example.com/path"]}' | jq .

Security Rules

Create Rate Limiting Rule

Protect API routes from abuse:

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/rulesets/phases/http_ratelimit/entrypoint" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "rules": [{
      "expression": "(http.request.uri.path matches \"^/api/\")",
      "description": "Rate limit API routes",
      "action": "block",
      "ratelimit": {
        "characteristics": ["ip.src"],
        "period": 60,
        "requests_per_period": 100,
        "mitigation_timeout": 600
      }
    }]
  }' | jq .

Enable Bot Fight Mode

curl -s -X PUT \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/bot_management" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"fight_mode": true}' | jq .

Page Rules (Legacy but useful)

Cache static assets aggressively

curl -s -X POST \
  "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/pagerules" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "targets": [{"target": "url", "constraint": {"operator": "matches", "value": "*.<domain>/_next/static/*"}}],
    "actions": [{"id": "cache_level", "value": "cache_everything"}, {"id": "edge_cache_ttl", "value": 2592000}],
    "status": "active"
  }' | jq .

Standard Setup for New Projects

When setting up Cloudflare for a new project on Vercel:

Add CNAME record pointing to cname.vercel-dns.com.
Set SSL to Full (Strict).
Enable Always Use HTTPS.
Add rate limiting for /api/* routes.
Enable Bot Fight Mode.
Set browser cache TTL to 4 hours.
Create a page rule to cache _next/static/* aggressively.

Run all steps in sequence and report the result of each.

Troubleshooting

522 errors (Connection Timed Out)

Check that SSL is set to Full (Strict), not Flexible.
Verify Vercel domain is configured correctly.
Check if Cloudflare is proxying (orange cloud) — it should be.

Mixed content warnings

Enable Always Use HTTPS.
Check that all internal links use relative paths or https://.

Cache not updating after deploy

Purge cache after deployment.
Check that Cache-Control headers are set correctly in vercel.json.

Source

git clone https://clawhub.ai/guifav/cloudflare-guardView on GitHub

Overview

Cloudflare Guard configures and manages Cloudflare DNS, caching, security rules, rate limiting, and Workers for Vercel deployments. It follows a mandatory planning protocol and uses the Cloudflare API v4 via curl, never storing API tokens in files. This ensures safe, observable changes with clear propagation expectations.

How This Skill Works

The workflow begins with the mandatory Planning Protocol: understand the request, survey current DNS/SSL/policy state, build an execution plan, assess risks, execute changes one API call at a time, and summarize results. It then uses Cloudflare API v4 calls to list and modify DNS records, adjust SSL/TLS settings, apply caching rules, and configure security controls and edge logic (Workers). Changes are validated after each step and propagation is checked before proceeding.

When to Use It

To add or modify a DNS record (e.g., a CNAME for a Vercel deployment)
To set SSL mode to Full (Strict) for Cloudflare proxying with Vercel
To enable Always Use HTTPS to enforce secure connections
To update DNS records or caching settings with minimal downtime and proper validation
To configure WAF rules, rate limiting, or deploy Cloudflare Workers for edge logic

Quick Start

Step 1: Plan changes using the mandatory Planning Protocol (understand, survey state, plan, assess risks)
Step 2: Query Cloudflare state (list DNS records, SSL settings, page rules, and rate limits) via the API
Step 3: Execute changes one API call at a time using curl, verify responses, and check DNS propagation before proceeding

Best Practices

Always run the Planning Protocol before any API change
Survey current DNS, SSL, page rules, and rate limits before modifying
Execute API calls sequentially, validating each response
Keep API tokens secure: use environment variables, not files
Verify DNS propagation after changes and communicate expected delays

Example Use Cases

Add a CNAME for a subdomain pointing to the Vercel deployment (e.g., sub.domain.com -> cname.vercel-dns.com)
Set the root domain A/CAA records as needed and enable proxied to leverage Cloudflare
Set SSL mode to Full (Strict) to ensure end-to-end encryption with Vercel
Enable Always Use HTTPS to redirect HTTP to HTTPS across the domain
Deploy and configure a Cloudflare Worker to apply edge logic (e.g., URL rewriting or A/B routing)

Frequently Asked Questions

Add this skill to your agents