Alibabacloud Pai Eas Service Deploy

v0.0.1-beta.1

Deploy AI models as PAI-EAS inference services. Supports LLMs (Qwen, Llama), image gen (SD, SDXL), speech synthesis, and more. When to use: deploy models, cr...

⭐ 0· 66·0 current·0 all-time

byalibabacloud-skills-team@sdk-team

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sdk-team/alibabacloud-pai-eas-service-deploy.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Alibabacloud Pai Eas Service Deploy" (sdk-team/alibabacloud-pai-eas-service-deploy) from ClawHub.
Skill page: https://clawhub.ai/sdk-team/alibabacloud-pai-eas-service-deploy
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install alibabacloud-pai-eas-service-deploy

ClawHub CLI

Package manager switcher

npx clawhub@latest install alibabacloud-pai-eas-service-deploy

Security Scan

Capability signals

CryptoRequires walletCan make purchasesRequires OAuth tokenRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The skill's name/description (PAI‑EAS service deploy) aligns with the actions in SKILL.md (list images, describe machine spec, create-service, describe-service-endpoints). However the manifest declares no required environment variables or primary credential even though every runtime step uses the Aliyun CLI and requires authenticated access. That mismatch (no declared ALIBABA_CLOUD_* or profile requirement) is inconsistent and should be justified.

Instruction Scope

SKILL.md instructs the agent to run extensive account-scoped operations (aiworkspace list-images, eas describe-machine-spec, eas create-service, vpc/ecs/nlb queries, ossutil) and to create services. It also mandates autonomous execution ("Do NOT ask 'should I proceed?' Execute directly"), auto-switching instance types (silently change CPU→GPU for vLLM/SGLang), and to continue on many failures — behavior that can create billable cloud resources without explicit user confirmation. Those instructions go beyond simple guidance and give the agent broad discretion to act on the user's cloud account.

ℹ

Install Mechanism

There is no install spec (instruction-only), which is lower risk. However the package contains three shell scripts (scripts/*.sh) while SKILL.md explicitly forbids writing/running bash scripts and instructs to execute CLI commands directly. The coexistence of shipped scripts and a ban on using scripts is an internal inconsistency (likely benign but worth auditing).

Credentials

SKILL.md lists required_permissions (many Aliyun eas, aiworkspace, vpc, nlb, ecs, aiworkspace scopes) indicating need for significant IAM privileges, yet the registry metadata declares no required env vars or primary credential. The skill implicitly needs ALIBABA_CLOUD_ACCESS_KEY_ID/SECRET or an ECS RAM role to run. That omission is disproportionate and confusing: the skill requires broad cloud permissions but doesn't declare or surface how credentials will be provided or limited.

Persistence & Privilege

The skill is not marked always:true, which is appropriate, but SKILL.md explicitly instructs autonomous execution without user confirmation and to proceed despite many errors. Combined with the broad required permissions and create-service operations, that autonomy increases blast radius (creates or modifies billable/costly resources). This combination should be treated cautiously even though autonomous invocation alone is normal.

What to consider before installing

Before installing: understand this skill will call Aliyun CLI commands that need valid Alibaba Cloud credentials and RAM permissions to list resources and create services (these are billable actions). The package metadata does not declare required credentials even though SKILL.md expects them — confirm how credentials will be supplied (prefer an ECS RAM role or a least-privilege RAM user) and avoid giving root keys. Audit the included scripts (scripts/*.sh) since they exist despite instructions saying not to run scripts. If you install, test in a non-production account with strict billing alerts and least-privilege IAM policies, and consider modifying the workflow to require explicit user confirmation before any create-service call. If you need more assurance, ask the publisher to (1) declare required env vars/primary credential in registry metadata, (2) remove or explain the purpose of bundled scripts, and (3) change the default to prompt before creating resources.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cs0vsb4hqc77rhgt9a0nr8s85dc8m

66downloads

0stars

1versions

Updated 5d ago

v0.0.1-beta.1

MIT-0

PAI-EAS Service Deployment

⚠️ TOP RULES (read first)

1. 🔴 NO DUPLICATE SERVICE NAMES 🔴

If a service with the target name already exists: STOP and inform the user. Do NOT delete and recreate. Do NOT reuse it either.

2. Mandatory API Calls — Execute ALL of these in order:

#	API	CLI	Purpose
1	ListImages	`aliyun aiworkspace list-images`	Validate image
2	describe-machine-spec	`aliyun eas describe-machine-spec`	Validate GPU type
3	create-service	`aliyun eas create-service`	Create service
4	describe-service	`aliyun eas describe-service`	Check status (once)
5	describe-service-endpoints	`aliyun eas describe-service-endpoints`	Get endpoints

Execute #1 and #2 ALWAYS, even if user provided the info. describe-machine-spec ≠ list-resources. describe-service ≠ ListServices.

3. Prohibited — ❌ Reuse existing service ❌ Write bash scripts (run CLI directly) ❌ CPU+vLLM/SGLang ❌ file:// in create-service ❌ Skip mandatory APIs ❌ Change the service name the user specified ❌ Poll describe-service in a loop (call once only)

4. Autonomous Execution — Do NOT ask user for info discoverable via APIs. Do NOT ask "should I proceed?" Execute directly. Timeout? Retry with --read-timeout 60. Error? Inform user and CONTINUE. Missing param? Pick reasonable default. If any pre-check or resource discovery step fails, log the failure and continue to the next step. Only STOP for the specific conditions listed in Self-Verify Checkpoints (duplicate service name, missing NLB/GW/dedicated resource group).

5. Self-Verify Checkpoints:

Before Step 2: Did Step 1.5 confirm no duplicate service name?
  If duplicate → STOP, inform user, do NOT proceed.
Before Step 5: Have I run list-images AND describe-machine-spec?
  If NO → STOP and run them NOW.
Before Step 6: Did Step 1.5 confirm no duplicate service name?
  If duplicate exists → STOP, inform user, do NOT proceed.
Step 4 resources: If NLB/GW/Resource Group not found → inform user and STOP.
  Do NOT block or attempt workarounds.
After Step 7: Did I call describe-service once and report the status?

6. Run CLI commands DIRECTLY — Use execute_shell_command to run each aliyun CLI command one at a time. Do NOT write bash scripts, deployment scripts, or shell files. Do NOT use retry_command() or any wrapper functions. Each command = one direct execution.

Pre-checks

aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent \
  --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-pai-eas-service-deploy"
aliyun plugin update
aliyun configure set --auto-plugin-install true

⚠️ MANDATORY: Install and update required plugins BEFORE proceeding:

aliyun plugin update
aliyun plugin install aiworkspace --force
aliyun plugin install eas --force

Verify plugins are installed:

aliyun plugin list 2>/dev/null | grep -E "aiworkspace|eas"

If either plugin is missing after install, retry with:

aliyun plugin install <plugin-name> --force

See CLI Guide. Never read/echo AK/SK. Timeout? Retry with --read-timeout 60.

⚠️ MANDATORY CHECKPOINT: After pre-checks, you MUST proceed to Step 1 regardless of any warnings during plugin installation. Plugin install failures are non-blocking — the plugins may already be installed. NEVER stop execution at the pre-check stage.

Step 1: Collect Parameters

Param	Required	Default
RegionId	Yes	-
Service Name	Yes	-
Workspace ID	No	Auto-select
Image URI	Yes	-
Instance Type	Yes	-
Replicas	No	1
Port	No	8000
OSS Path	No	-

Service name: lowercase/digits/underscores only. No hyphens. 3-63 chars. IMPORTANT: Use the EXACT service name the user specifies. Do NOT rename. If the user specifies a prefix (e.g. "skill_qwen_开头"), generate a random suffix of 6 digits (e.g. skill_qwen_482917).

Set profile region — Set the CLI profile region to match the deployment region. This avoids "Region mismatch" errors when --cluster-id differs from the profile's default region:

aliyun configure set --region <region>

Workspace ID: Required in metadata.workspace_id. If user does not specify a workspace, query available workspaces and pick one:

aliyun aiworkspace list-workspaces --region <region> \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-pai-eas-service-deploy | \
  jq '.Workspaces[] | select(.Status == "ENABLED") | {WorkspaceId, WorkspaceName}'

If multiple workspaces exist, list them and let the user choose. If only one exists, use it directly.

Step 1.5: Check for Duplicate Service Name

aliyun eas list-services --region <region> --cluster-id <region> \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-pai-eas-service-deploy | \
  jq '.ServiceList[] | select(.ServiceName == "<name>") | {ServiceName, Status}'

If a service with the same name already exists → STOP and inform the user: "A service named <name> already exists (Status: <status>). Please choose a different name." Do NOT delete or reuse it.

If no duplicate → proceed to Step 2.

Step 2: ListImages (🚧 BLOCKING GATE — NEVER SKIP)

Execute even if user provided image URI. Purpose = VALIDATION.

⚠️ If you see "parse error" or "Exit Code 4", the plugin failed to install. You MUST retry with explicit install:

aliyun plugin install aiworkspace --force

Then retry the list-images command. Do NOT skip this step.

aliyun aiworkspace list-images --region <region> --verbose true \
  --labels 'system.official=true,system.supported.eas=true' \
  --page-size 50 --user-agent AlibabaCloud-Agent-Skills/alibabacloud-pai-eas-service-deploy | \
  jq '.Images[] | {ImageId, ImageUri, ImageCategory}' > /tmp/eas_images.json
echo "Saved $(jq length /tmp/eas_images.json) images"

If still fails after plugin reinstall, retry with timeout:

aliyun aiworkspace list-images --region <region> --verbose true \
  --labels 'system.official=true,system.supported.eas=true' \
  --page-size 50 --read-timeout 60 \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-pai-eas-service-deploy | \
  jq '.Images[] | {ImageId, ImageUri, ImageCategory}' > /tmp/eas_images.json
echo "Saved $(jq length /tmp/eas_images.json) images"

See Model-Image. This output is REQUIRED by Step 5. Do NOT skip. ❌ NEVER skip this step saying "user already provided the image".

Step 3: describe-machine-spec (🚧 BLOCKING GATE — NEVER SKIP)

Execute even if user specified instance type. NOT list-resources.

⚠️ If this command fails, retry with --read-timeout 60. NEVER proceed to Step 5 without /tmp/eas_specs.json existing.

aliyun eas describe-machine-spec --region <region> \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-pai-eas-service-deploy | \
  jq '.InstanceTypes[] | select(.GPU > 0) | {InstanceType, CPU, GPU, Memory}' \
  > /tmp/eas_specs.json
echo "Available GPU specs:"; cat /tmp/eas_specs.json

CPU→GPU auto-switch: If vLLM/SGLang + CPU, silently pick GPU. Do NOT ask. This output is REQUIRED by Step 5. Do NOT skip.

Step 4: Network & Resource Config

Type	VPC	Config
Shared	No	(default, no networking fields)
Dedicated GW	Yes	`networking.gateway` + `cloud.networking`
NLB	Yes	`networking.nlb` + `cloud.networking`

⚠️ If a required resource does not exist → STOP and inform the user. Do NOT block or attempt workarounds. This is a valid outcome.

Dedicated Gateway — Call list-gateway. If no gateway exists → inform user and STOP. Otherwise call describe-gateway to get VPC/VSwitch, then query security group under that VPC. If no security group found → inform user and STOP.

aliyun eas list-gateway --region <region> \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-pai-eas-service-deploy

If gateway found, get details:

aliyun eas describe-gateway --region <region> --cluster-id <region> \
  --gateway-id <gateway_id> \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-pai-eas-service-deploy

Extract VPC and comma-separated VSwitch ID:

aliyun eas describe-gateway --region <region> --cluster-id <region> \
  --gateway-id <gateway_id> \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-pai-eas-service-deploy | \
  jq '{vpc_id: .LoadBalancerList[0].VpcId, vswitch_id: (.LoadBalancerList[0].VSwitchIds | join(","))}'

NLB — Requires VPC/VSwitch/SecurityGroup. If user does not provide them, query via APIs. If any required resource not found → inform user and STOP. ⚠️ NLB requires ≥2 VSwitches across different availability zones. Use comma-separated format: "vswitch_id": "vsw-zone-a,vsw-zone-b". ⚠️ NLB Plugin Bug (aliyun-cli-eas v0.2.0): If create-service with NLB config returns 400 with 'vswitch can not be null' or 'vpcId, vswId and securityGroupId are required', this is a known CLI plugin bug (not a resource issue). Fallback strategy:

Retry create-service with NLB config once more (max 2 attempts).
If both fail → Remove networking.nlb and cloud.networking from service.json, redeploy with shared gateway.
Inform user: "NLB config failed due to CLI plugin limitation. Deployed with shared gateway instead."

EAS Dedicated Resource Group — Call list-resources. Filter for ResourceType == "Dedicated" and Status == "ResourceReady".

aliyun eas list-resources --region <region> \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-pai-eas-service-deploy | \
  jq '.Resources[] | select(.ResourceType == "Dedicated" and .Status == "ResourceReady") | {ResourceId, ResourceType, Status}'

If exists → Set "metadata": {"resource": "<ResourceId>"}. Do NOT set cloud.computing.
If NOT exists → Inform the user and STOP. Do NOT fall back to public resource group.

Step 5: Build Service JSON

⚠️ BEFORE building JSON, you MUST read these reference files:

references/config-patterns.md — Complete JSON templates for all 8 patterns
references/config-schema.md — Field descriptions and validation rules
references/storage-mount.md — OSS/NAS mount configuration details
references/network-config.md — NLB/Gateway network configuration details

⚠️ HARD GATE: Before writing service.json, VERIFY these files exist and have content. If either is missing → STOP and run that Step NOW.

test -s /tmp/eas_images.json || echo "MISSING: Run Step 2 NOW"
test -s /tmp/eas_specs.json || echo "MISSING: Run Step 3 NOW"

⚠️ JSON format rules:

Allowed top-level keys: metadata, containers, storage, cloud, autoscaler, networking
❌ NEVER use as top-level keys: spec, ServiceName, Image, Cpu, Memory, Gpu, processor_path, resourceGroupId, instance, port, command, access
❌ FORBIDDEN fields: processor_path, resourceGroupId, spec, access
metadata.name = service name, metadata.workspace_id = workspace (REQUIRED)
containers[].image = image URI, containers[].command = start command, containers[].port = port
cloud.computing.instance_type = instance type (MANDATORY for shared gateway)

Quick Reference — JSON Skeletons

Below are minimal skeletons. Read references/config-patterns.md for complete templates with all fields and examples.

Base (Shared Gateway):

{"metadata":{"name":"<name>","instance":1,"workspace_id":"<ws>"},
 "containers":[{"image":"<img>","port":<p>,"command":"<cmd>"}],
 "cloud":{"computing":{"instance_type":"<type>"}}}

+ OSS → add "storage":[{"mount_path":"/dir","oss":{"path":"oss://<b>/<p>/","readOnly":true}}] + Autoscaling → add "autoscaler":{"min":1,"max":4,"scaleStrategies":[{"metricName":"qps","threshold":20}]} + Health Check → add startup_check to containers[] (see config-patterns.md Pattern 4)

NLB — full template (read references/network-config.md for details):

{"metadata":{"name":"<name>","instance":1,"workspace_id":"<ws>"},
 "containers":[{"image":"<img>","port":<p>,"command":"<cmd>"}],
 "cloud":{"computing":{"instance_type":"<type>"},
          "networking":{"vpc_id":"<vpc>","vswitch_id":"<vsw1>,<vsw2>","security_group_id":"<sg>"}},
 "networking":{"nlb":[{"id":"default","listener_port":<p>,"netType":"intranet"}]}}

⚠️ vswitch_id must be comma-separated with ≥2 VSwitches across different zones

Dedicated Resource Group — "metadata.resource" instead of cloud.computing:

{"metadata":{"name":"<name>","instance":1,"resource":"<res_id>","workspace_id":"<ws>"},
 "containers":[{"image":"<img>","port":<p>,"command":"<cmd>"}]}

Dedicated Gateway — networking.gateway + cloud.networking:

{"metadata":{"name":"<name>","instance":1,"workspace_id":"<ws>"},
 "containers":[{"image":"<img>","port":<p>,"command":"<cmd>"}],
 "networking":{"gateway":"<gw_id>"},
 "cloud":{"computing":{"instance_type":"<type>"},
          "networking":{"vpc_id":"<vpc>","vswitch_id":"<vsw1>,<vsw2>","security_group_id":"<sg>"}}}

⚠️ vswitch_id comma-separated if gateway returns multiple VSwitches

Validate Before Writing

jq -r '.[] | select(.ImageUri | contains("vllm")) | .ImageUri' /tmp/eas_images.json
jq -r '.[] | select(.InstanceType == "<type>") | .InstanceType' /tmp/eas_specs.json

Step 6: Create Service (MANDATORY)

🔴 CONFIRM: Did Step 1.5 confirm no duplicate service name? If a service with this name already exists → STOP. Inform the user and do NOT proceed with create-service. Use $(cat service.json) NOT file://service.json. Run this DIRECTLY via execute_shell_command, do NOT write a bash script.

aliyun eas create-service --region <region> \
  --body "$(cat service.json)" \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-pai-eas-service-deploy

409 Conflict → Service already exists. Inform the user and STOP. 400 BadRequest with 'vswitch can not be null' or 'vpcId, vswId and securityGroupId are required' → NLB CLI plugin bug (see Step 4 fallback). Remove networking.nlb and cloud.networking from service.json and retry.

Step 7: Verify Deployment

Call describe-service ONCE to check the current status. Do NOT poll. Do NOT loop. Do NOT wait for Running.

aliyun eas describe-service --region <region> --cluster-id <region> \
  --service-name <name> \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-pai-eas-service-deploy | \
  jq '{Status, ServiceName, ServiceId}'

Report whatever status you get (Running, Waiting, Creating, etc.) and proceed to Step 8 immediately. create-service returning 200 = success.

Step 8: Report Result (MANDATORY)

Get endpoint info via DescribeServiceEndpoint:

aliyun eas describe-service-endpoints --region <region> --cluster-id <region> \
  --service-name <name> --user-agent AlibabaCloud-Agent-Skills/alibabacloud-pai-eas-service-deploy | \
  jq '{AccessToken, Endpoints: [.Endpoints[] | {
    Type: .EndpointType, Port: .Port,
    InternetEndpoints: .InternetEndpoints,
    IntranetEndpoints: .IntranetEndpoints
  }]}'

Use the status from Step 7 and the endpoints above to report.

Copy the ENTIRE output into your final response. Format:

Deployment Summary
==================
Service Name: <name>
Status: <from Step 7>

Endpoints:
- <EndpointType>:
    InternetEndpoint: <url or null>
    IntranetEndpoint: <url or null>
    Port: <port or 0>

Service Invocation Examples:
  curl <internet-endpoint>/api/predict/<name> \
    -H "Authorization: <AccessToken>"
  curl <intranet-endpoint>/api/predict/<name> \
    -H "Authorization: <AccessToken>"
  curl <nlb-domain>:<listener_port>/api/predict/<name> \
    -H "Authorization: <AccessToken>"

InternetEndpoint and IntranetEndpoint MUST appear in your response, even if null. If null: (not available for this network type)

Always include a service invocation example using the AccessToken and endpoint URL.

Success criteria: create-service returning 200 with ServiceId = success. Any status (Running, Waiting, Creating) is acceptable.

When done, disable AI-Mode: aliyun configure ai-mode disable

References (read when needed)

Doc	When to Read
Config Patterns	Step 5 — Complete JSON templates for all 8 patterns
Config Schema	Step 5 — Field descriptions and validation rules
Storage Mount	Step 5 — OSS/NAS mount details
Network Config	Step 4/5 — NLB/Gateway config details
Model-Image	Step 2 — Image selection guide
Related APIs	Any step — CLI command reference
Workflow	Overview — Full deployment flow
CLI Guide	Pre-checks — Plugin install
RAM Policies	Pre-checks — Required permissions
Service Features	Step 5 — Advanced features

Comments

Loading comments...