cloudcc-cli-dev
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate CloudCC development helper, but it can publish CRM changes with developer credentials and does not clearly require approval or environment scoping before those high-impact actions.
Install only after confirming you trust the cloudcc-cli package and understand which CloudCC environment is configured. Before allowing the agent to run create or publish commands, explicitly confirm the target org/environment, affected assets, credential scope, and rollback plan.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could apply changes to a CloudCC CRM environment, potentially affecting business workflows or data behavior if run against the wrong account or environment.
The recommended agent workflow includes publishing backend CloudCC assets before validation. Publishing classes, triggers, and schedules can change CRM behavior, but the artifacts do not clearly require user approval or restrict the target environment before these operations.
5. 发布(publish_*) 6. 回归验证:单条、批量、权限、异常分支
Require explicit user confirmation before any create, publish, or upload command, and require the user to confirm the target environment, rollback plan, and affected assets.
Anyone using the skill with these credentials may be able to create or publish CRM customizations in the configured CloudCC environment.
The skill requires a CloudCC account with code-management/developer privileges and sensitive developer credentials. This is expected for the stated purpose, but it is high-impact account authority and is not declared in the registry credential metadata.
你需要一个具备“代码管理/开发者权限”的账号。 - **开发者密钥(CloudCCDev)**... - **安全标记(safetyMark)**...
Use least-privilege developer credentials, prefer non-production environments, keep the config file out of version control, and verify that the skill metadata accurately declares credential requirements.
Installing the CLI globally may run package installation scripts and grant the package broad access on the local machine.
The setup instructions recommend a global, unpinned npm installation with elevated privileges on macOS. This is central to the skill's purpose, but it creates normal package provenance and privileged-install risk.
sudo npm i -g cloudcc-cli
Verify the npm package source and version, avoid sudo where possible, pin a known-good version, and install in an isolated development environment.