CPA Update - Secure CLI Proxy API Maintenance
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Docker maintenance workflow for CPA, but it touches production containers, config files, auth directories, and an unpinned Docker image tag, so users should review commands before running them.
This skill appears safe to use as a documented maintenance checklist, not an automatic installer. Before running commands, confirm the target CPA container and paths, avoid exposing API keys in outputs, secure backups under /opt/cliproxyapi, test the new image on the alternate port, and consider pinning the Docker image version after validation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong container name, image, port, or volume is used, the CPA service could be interrupted or restarted with the wrong configuration.
The workflow includes high-impact Docker operations that can stop and replace a production container, but the section explicitly says user confirmation is required and the surrounding workflow requires backup, testing, and rollback.
## 3) 生产发布(需用户确认) ... docker stop <CONTAINER_NAME> docker rm <CONTAINER_NAME> ... docker run -d
Only run production commands after confirming the exact container, image, ports, volumes, and backup/rollback artifacts with the user.
Provider API keys or authentication tokens could be exposed in terminal output, agent context, logs, or local backup archives if handled carelessly.
The instructions inspect and back up CPA configuration and auth directories that may contain API keys or OAuth/session material. This is expected for CPA maintenance, but it is sensitive access.
sed -n '1,220p' /opt/cliproxyapi/config.yaml
...
grep -n -- "-api-key:" /opt/cliproxyapi/config.yaml
...
cp -a /opt/cliproxyapi/auth /opt/cliproxyapi/backup/auth-${TS}Redact API keys before sharing command output, restrict backup permissions, and keep auth/config archives only as long as needed for rollback.
A future latest image could introduce unexpected behavior or incompatibilities even when the same command is used.
The update path uses the mutable latest Docker tag. Pulling the latest image is consistent with the upgrade purpose, but it makes the exact runtime artifact depend on the current upstream tag.
docker pull eceasy/cli-proxy-api:latest ... FROM eceasy/cli-proxy-api:latest
For production, review the upstream release, test first as instructed, and consider pinning a version tag or digest after validation.