chore(deps): update cloudflare/skills digest to 60147cb

[renovate]

This PR contains the following updates:

Package	Update	Change
cloudflare/skills	digest	7c449de → 60147cb

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🛡️ Skill Security Scan Results

✅ agents-sdk

• Status: Passed
• Findings: 5
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: cloudflare/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

❌ cloudflare

• Status: Failed
• Findings: 14
• Blocking: 1

Blocking issues:

• [BEHAVIOR_BASH_TAINT_FLOW] (HIGH) Variable $UPDATED (from network at line 6: UPDATED=$(echo "$FLAG" | jq '.enabled = true')) flows to execution sink curl at line 7. Executing network-sourced data is a remote code execution vector. (references/flagship/gotchas.md:75)

Allowlisted (not blocking):

• EXCESSIVE_FILE_COUNT (Allowed: This umbrella skill ships one references/<product>/ subdirectory per Cloudflare product (316 files total). The large file count is by upstream design — the skill functions as a product index that routes to the relevant reference for any Cloudflare task. All files are Cloudflare-authored documentation, not bundled dependencies.)
• MANIFEST_MISSING_LICENSE (Allowed: cloudflare/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ cloudflare-email-service

• Status: Passed
• Findings: 5
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: cloudflare/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ durable-objects

• Status: Passed
• Findings: 4
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: cloudflare/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ sandbox-sdk

• Status: Passed
• Findings: 5
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: cloudflare/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ web-perf

• Status: Passed
• Findings: 5
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: cloudflare/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ workers-best-practices

• Status: Passed
• Findings: 5
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: cloudflare/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ wrangler

• Status: Passed
• Findings: 4
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: cloudflare/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

---

Summary: Scanned 8 skill(s), found 1 blocking issue(s).

⚠️ Action Required: Review the blocking findings. Add a justified entry to the skill's security.allowed_issues[] in its spec.yaml if the finding is a false positive.