Alibabacloud Esa Pages Deploy
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to perform Alibaba Cloud ESA deployments as advertised, but it asks for broad cloud privileges and can publish production changes, so it should be reviewed carefully before use.
Install only if you want the agent to deploy to Alibaba Cloud ESA. Use a dedicated RAM role with minimal permissions, verify the active Alibaba Cloud account/profile, review files before uploading folders, and treat production deployment URLs and temporary access tokens as sensitive.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong credentials or an overly privileged RAM role are used, the agent could make broad changes to the user's Alibaba Cloud ESA environment.
The skill asks for a broad full-access Alibaba Cloud ESA policy. That is purpose-related, but it exceeds a clearly scoped least-privilege deployment role and could let the agent affect more ESA resources than the immediate task requires.
Grant **AliyunESAFullAccess** policy to your RAM user/role before using this skill.
Use a dedicated RAM user or role with the minimum ESA Pages, Routine, OSS upload, and KV permissions needed, and make the selected credential/profile explicit before invoking the skill.
A mistaken deployment could replace or break the live ESA production site/function.
The folder deployment script rolls a code version to 100% of the production environment. This is expected for a deploy tool, but a wrong folder or build artifact could immediately affect public edge traffic.
Env: "production", Strategy: "percentage", CodeVersions: JSON.stringify([{ Percentage: 100, CodeVersion: codeVersion }])Confirm the routine name, target account, and folder contents before deployment; consider adding a staging-only or confirmation step for production releases.
Running a deployment may change Alibaba Cloud account/service state, not just upload files.
The script can enable the Edge Routine service automatically before deploying. This is disclosed and purpose-aligned, but it is still an account-level state change.
await client.openErService(new Esa20240910.OpenErServiceRequest({}));Ensure the ESA service should be enabled in the selected account before running the deployment scripts.
Users may install dependencies manually and could get different package versions or miss required packages.
The provided scripts depend on external npm packages, but the artifact set has no install spec, package manifest, or lockfile to make dependency installation reproducible.
No install spec — this is an instruction-only skill.
Install only trusted, pinned dependency versions and prefer a reviewed package.json/lockfile for repeatable setup.