# Add to your Claude Code skills
git clone https://github.com/cloudflare/mcpGuides for using mcp servers skills like mcp.
Last scanned: 5/18/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@cloudflare/vitest-pool-workers: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@hono/node-server: @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware",
"severity": "high"
},
{
"type": "npm-audit",
"message": "express-rate-limit: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "fast-uri: fast-uri vulnerable to path traversal via percent-encoded dot segments",
"severity": "high"
},
{
"type": "npm-audit",
"message": "hono: Hono missing validation of cookie name on write path in setCookie()",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "ip-address: ip-address has XSS in Address6 HTML-emitting methods",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "miniflare: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "undici: Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
"severity": "high"
},
{
"type": "npm-audit",
"message": "vite: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
"severity": "high"
},
{
"type": "npm-audit",
"message": "wrangler: Vulnerability found",
"severity": "high"
}
],
"status": "WARNING",
"scannedAt": "2026-05-18T08:04:01.593Z",
"semgrepRan": false,
"npmAuditRan": true,
"pipAuditRan": true
}mcp is an open-source mcp servers skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by cloudflare. MCP server for the Cloudflare API. It has 634 GitHub stars.
mcp returned warnings in SkillsLLM's automated security scan. It has no critical vulnerabilities, but review the flagged issues in the Security Report section before adding it to your workflow.
Clone the repository with "git clone https://github.com/cloudflare/mcp" and add it to your Claude Code skills directory (see the Installation section above).
mcp is primarily written in TypeScript. It is open-source under cloudflare on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other MCP Servers skills you can browse and compare side by side. Open the MCP Servers category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh mcp against similar tools.
No comments yet. Be the first to share your thoughts!
Top skills in this category by stars
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
A token-efficient MCP server for the entire Cloudflare API. 2500 endpoints in 1k tokens, powered by Code Mode.
| Approach | Tools | Token cost | Context used (200K) |
|---|---|---|---|
| Raw OpenAPI spec in prompt | — | ~2,000,000 | 977% |
| Native MCP (full schemas) | 2,594 | 1,170,523 | 585% |
| Native MCP (minimal — required params only) | 2,594 | 244,047 | 122% |
| Code mode | 3 | ~1,100 | 0.5% |
MCP URL: https://mcp.cloudflare.com/mcp
Just connect to the MCP server URL - you'll be redirected to Cloudflare to authorize and select permissions.
{
"mcpServers": {
"cloudflare-api": {
"type": "http",
"url": "https://mcp.cloudflare.com/mcp"
}
}
}
For CI/CD, automation, or if you prefer managing tokens yourself.
Create a Cloudflare API token with the permissions you need. Both user tokens and account tokens are supported. For account tokens, include the Account Resources : Read permission so the server can auto-detect your account ID.
Note: API tokens with Client IP Address Filtering enabled are not currently supported.
| Setting | Value |
|---|---|
| MCP URL | https://mcp.cloudflare.com/mcp |
| Bearer Token | Your Cloudflare API Token |
If your MCP client already uses code mode, or you're composing this server with another server that uses code mode, you can disable it with the ?codemode=false query parameter. This registers an individual tool for each of the ~2,500 Cloudflare API endpoints instead of the code mode API tools. The docs tool remains available in both modes.
https://mcp.cloudflare.com/mcp?codemode=false
{
"mcpServers": {
"cloudflare-api": {
"type": "http",
"url": "https://mcp.cloudflare.com/mcp?codemode=false"
}
}
}
When code mode is disabled:
get_workers_scripts, post_d1_database)account_id are auto-resolved when possible (single account)Note: Disabling code mode significantly increases the token cost (~244k tokens vs ~1k tokens). Only disable it when necessary for composition with other code mode systems.
The Cloudflare OpenAPI spec is 2 million tokens. Even with native MCP tools using minimal schemas, it's still ~244k tokens. Traditional MCP servers that expose every endpoint as a tool leak this entire context to the main agent.
This server solves the problem by using code execution in a Code Mode pattern - the spec lives on the server, and only the result of the code execution is returned to the agent.
Agent writes code to search the spec and execute API calls. It can also search Cloudflare's developer documentation directly.
| Tool | Description |
|---|---|
docs |
Search Cloudflare developer documentation |
search |
Write JavaScript to query spec.paths and find endpoints |
execute |
Write JavaScript to call cloudflare.request() with the discovered endpoints |
Agent MCP Server
│ │
├──search({code: "..."})───────►│ Execute code against spec.json
│◄──[matching endpoints]────────│
│ │
├──execute({code: "..."})──────►│ Execute code against Cloudflare API
│◄──[API response]──────────────│
Workers, KV, R2, D1, Pages, DNS, Firewall, Load Balancers, Stream, Images, AI Gateway, Vectorize, Access, Gateway, and more. See the full Cloudflare API schemas.
Once configured, just ask your agent to do things with Cloudflare:
The agent will search for the right endpoints and execute the API calls. Here's what happens behind the scenes:
// 1. Search for endpoints
search({
code: `async () => {
const results = [];
for (const [path, methods] of Object.entries(spec.paths)) {
for (const [method, op] of Object.entries(methods)) {
if (op.tags?.some(t => t.toLowerCase() === 'workers')) {
results.push({ method: method.toUpperCase(), path, summary: op.summary });
}
}
}
return results;
}`,
});
// 2. Execute API call (user token - account_id required)
execute({
code: `async () => {
const response = await cloudflare.request({
method: "GET",
path: \`/accounts/\${accountId}/workers/scripts\`
});
return response.result;
}`,
account_id: "your-account-id",
});
// 2. Execute API call (account token - account_id auto-detected)
execute({
code: `async () => {
const response = await cloudflare.request({
method: "GET",
path: \`/accounts/\${accountId}/workers/scripts\`
});
return response.result;
}`,
});
The server automatically detects and handles Cloudflare's GraphQL Analytics API endpoints. GraphQL queries work seamlessly through the same execute tool:
execute({
code: `async () => {
const response = await cloudflare.request({
method: "POST",
path: "/client/v4/graphql",
body: {
query: \`query {
viewer {
zones(filter: { zoneTag: "your-zone-id" }) {
httpRequests1dGroups(limit: 7, orderBy: [date_ASC]) {
dimensions {
date
}
sum {
requests
bytes
cachedBytes
}
}
}
}
}\`,
variables: {}
}
});
return response.result;
}`,
account_id: "your-account-id",
});
Code execution uses Cloudflare's Dynamic Worker Loader API to run generated code in isolated Workers, following the Code Mode pattern.
Read the Code Mode SDK docs for more info.