Alibabacloud Tech Solution Animation Creation Auto Deploy

v0.0.1

Alicloud Service Scenario-Based Skill. Use for auto-deploying the "Build AI Animation Story Creation App" solution. Automatically creates OSS Bucket, deploys...

⭐ 0· 95·0 current·0 all-time

byalibabacloud-skills-team@sdk-team

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sdk-team/alibabacloud-tech-solution-animation-creation-auto-deploy.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Alibabacloud Tech Solution Animation Creation Auto Deploy" (sdk-team/alibabacloud-tech-solution-animation-creation-auto-deploy) from ClawHub.
Skill page: https://clawhub.ai/sdk-team/alibabacloud-tech-solution-animation-creation-auto-deploy
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install alibabacloud-tech-solution-animation-creation-auto-deploy

ClawHub CLI

Package manager switcher

npx clawhub@latest install alibabacloud-tech-solution-animation-creation-auto-deploy

Security Scan

Capability signals

Requires walletRequires OAuth tokenRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The declared purpose (auto-deploy an Alibaba Cloud solution) aligns with the scripts and CLI calls: creating OSS buckets, Devs projects, FC functions, roles, and policies is expected. However, two things stand out: (1) the skill auto-attaches broad system policies (AliyunOSSFullAccess, AliyunFCFullAccess) to the calling RAM user which is a powerful privilege escalation step; (2) it depends on a third-party service (domain.devsapp.net) for custom-domain registration rather than using only Alibaba Cloud APIs. Both are plausible for this deployment scenario but are security-sensitive and should be explicitly consented to by the user.

Instruction Scope

The runtime instructions and scripts go beyond simple resource creation: they auto-create workspaces and API keys (and print the API key value), auto-attach system policies to RAM users, create or update IAM role trust policies, and POST account identifiers and domain-registration requests to domain.devsapp.net. The SKILL.md says 'NEVER' to echo AK/SK, but the create-api-key script echoes the created API_KEY and API_KEY_ID to stdout (which may be logged), and create-custom-domain.sh sends the account ID and function name to an external DNS service. These operations expand the attack surface (sensitive tokens printed, third-party network calls, privilege changes).

ℹ

Install Mechanism

This is instruction-only (no install spec), so nothing is forcibly downloaded by a package installer. The scripts reference official aliyun CLI binaries (installation guide uses aliyuncdn official URLs). One red flag: the helper function created by scripts embeds a base64 zipFile in the create-function call (obfuscated payload). Embedding base64 in the script is explainable (helper function code packaged inline) but should be inspected before execution.

Credentials

No required env vars are declared in the registry metadata, yet the scripts require an active aliyun CLI profile or environment credentials and will modify account resources. The skill will attempt to attach broad system policies to the calling RAM user and create/update IAM roles; those are high privileges but arguably necessary for the deployment. The skill also emits (echoes) a newly-created Bailian API key to stdout, which risks leakage in logs. Contacting domain.devsapp.net sends the AccountId (MY_UID) to a third party — this is sensitive and not strictly required by Alibaba Cloud itself.

✓

Persistence & Privilege

The skill does not request 'always: true' and does not modify other skills or system-wide agent settings. It creates cloud resources and IAM role/policies in the user's Alibaba account (expected for a deploy tool). There is no persistent agent-side installation or force-inclusion behavior.

Scan Findings in Context

[base64-block] unexpected: A base64-encoded zip is embedded in the create-function payload (scripts/create-custom-domain.sh). Embedding compressed code this way can be legitimate for creating a helper FC function, but it also obscures the function contents; you should decode and inspect it before running. Presence of base64 data is not inherently malicious but increases the need for manual review.

What to consider before installing

This skill automates high-privilege cloud operations and contacts an external DNS service; do not run it in a production or high-privilege account without review. Before using: (1) Inspect every script (especially the base64 zip payload in create-custom-domain.sh) — decode the zip and review its index.js; (2) Run in a disposable/test Alibaba account or sandbox with least-privilege credentials (prefer STS tokens or an ECS role with scoped permissions); (3) Do not allow automatic policy attachment — manually review and attach only the minimum required permissions; (4) Be cautious about printing or logging the created API key (API_KEY) — treat it as a secret and rotate/delete it after testing; (5) Confirm you trust domain.devsapp.net (the script sends your AccountId and registers DNS there); if you prefer, perform custom-domain registration manually with your own DNS to avoid the third-party step; (6) If the skill's author or an official Alibaba Cloud source can be verified (homepage, published repo, or vendor support), that reduces risk — otherwise treat this as an untrusted automation and follow the mitigation steps above.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ebn7x35x8m1nq05bf7yjh1h851ebr

95downloads

0stars

2versions

Updated 1w ago

v0.0.1

MIT-0

Build AI Animation Story Creation App — Auto Deploy

Automatically deploy the Alibaba Cloud "Build AI Animation Story Creation App" solution. Deployment stops once the application is accessible — the hands-on experience is left to the user.

Architecture: `OSS Bucket + DashScope (Bailian API Key) + FC App (ComfyUI + WebUI — two functions deployed via Devs template)`

Installation

Prerequisites (scripts/ runtime dependencies):

Dependency Min Version Check Command Purpose
bash 4.0+ bash --version Script runtime
aliyun CLI >= 3.3.7 aliyun version Alibaba Cloud resource operations (3.3.7+ required for ai-mode subcommand)
python3 3.6+ python3 --version JSON parsing
curl any curl --version HTTP API calls

If Aliyun CLI is not installed or version too low, see references/cli-installation-guide.md for installation instructions. Then [MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.

Dependency	Min Version	Check Command	Purpose
`bash`	4.0+	`bash --version`	Script runtime
`aliyun` CLI	>= 3.3.7	`aliyun version`	Alibaba Cloud resource operations (3.3.7+ required for `ai-mode` subcommand)
`python3`	3.6+	`python3 --version`	JSON parsing
`curl`	any	`curl --version`	HTTP API calls

CLI Initialization (MUST run before Core Workflow)

Enable AI-Mode, set the dedicated User-Agent, and update plugins so all subsequent CLI calls are tagged correctly and run on the latest plugin versions:

aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy"
aliyun plugin update

Authentication

Pre-check: Alibaba Cloud Credentials Required

Security Rules:

NEVER read, echo, or print AK/SK values

NEVER ask the user to input AK/SK directly in the conversation or command line

NEVER use aliyun configure set with literal credential values

ONLY use aliyun configure list to check credential status
aliyun configure list
Check the output for a valid profile (AK, STS, or OAuth identity).

If no valid profile exists, STOP here.

Obtain credentials from Alibaba Cloud Console

Configure credentials outside of this session

Return and re-run after aliyun configure list shows a valid profile

RAM Policy

See references/ram-policies.md for full permission list.

Required system policies: AliyunFCFullAccess, AliyunOSSFullAccess

Additional permissions: Devs-related permissions (devs:CreateProject, devs:RenderServicesByTemplate, devs:UpdateEnvironment, devs:DeployEnvironment, devs:ListEnvironments, devs:GetEnvironment)

Before the Core Workflow, automatically check and attach required policies:

bash scripts/attach-policies.sh

[MUST] Permission Failure Handling: When any command or API call fails due to permission errors at any point during execution, follow this process:

Read references/ram-policies.md to get the full list of permissions required by this SKILL

Use ram-permission-diagnose skill to guide the user through requesting the necessary permissions

Pause and wait until the user confirms that the required permissions have been granted

Parameter Confirmation

IMPORTANT: Parameter Confirmation — Before executing any command or API call, all parameters are either fixed values or auto-generated/created — no manual user input required.

Parameter	Required	Description	Value
`RegionId`	Yes	Deployment region (FC and OSS in the same region)	Fixed `cn-hangzhou`
`BUCKET_NAME`	Yes	OSS Bucket name	Auto-generated `animation-story-<6 random lowercase letters>`
`API_KEY`	Yes	Bailian (DashScope) API Key	Auto-created via `aliyun modelstudio create-api-key`
`PROJECT_NAME`	Yes	Devs project name	Auto-generated `animation-creation-<6 random lowercase letters>`

Before starting the Core Workflow, set the following variables in the shell (all subsequent commands reference them directly):

# Generate random names
BUCKET_NAME="animation-story-$(cat /dev/urandom | LC_ALL=C tr -dc 'a-z' | head -c 6)"
PROJECT_NAME="animation-creation-$(cat /dev/urandom | LC_ALL=C tr -dc 'a-z' | head -c 6)"
echo "BUCKET_NAME=$BUCKET_NAME, PROJECT_NAME=$PROJECT_NAME"

Core Workflow

Step 1: Create Bailian API Key (CLI)

Automatically obtain the workspace and create an API Key via aliyun modelstudio CLI:

source scripts/create-api-key.sh

Note: Use source to ensure the API_KEY variable is exported to the current shell. The script automatically fetches the default workspace (or creates one if none exists), creates an API Key, and prints the full value.

Step 2: Enable OSS Service and Create Bucket (CLI)

Note: The OSS CLI plugin uses the --ua flag (not --user-agent) to set the User-Agent.

First enable OSS service (returns ORDER.OPEND if already enabled — can be ignored):

aliyun ossadmin open-oss-service --endpoint oss-admin.aliyuncs.com --force --user-agent AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy 2>&1 || true

Create Bucket:

aliyun oss mb "oss://$BUCKET_NAME" --region cn-hangzhou --ua AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy

Verify:

aliyun oss stat "oss://$BUCKET_NAME" --ua AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy

Step 3: Create Devs Project (CLI)

Use the CreateProject API to create a project. Specify the template name and parameters via templateConfig — Devs will automatically create a production environment.

Note: CreateProject only creates the project and an empty environment — it does NOT trigger deployment automatically. You must follow up with RenderServicesByTemplate + UpdateEnvironment + DeployEnvironment to complete deployment.

aliyun devs create-project --body "{
  \"name\": \"$PROJECT_NAME\",
  \"spec\": {
    \"templateConfig\": {
      \"templateName\": \"animation-creation\",
      \"parameters\": {
        \"region\": \"cn-hangzhou\",
        \"bailian_api_key\": \"$API_KEY\",
        \"ossBucket\": \"$BUCKET_NAME\"
      }
    }
  }
}" --user-agent AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy

Template parameter notes (confirmed — do not modify):

region: Fixed cn-hangzhou

bailian_api_key: Bailian API Key auto-created in Step 1

ossBucket: OSS Bucket name created in Step 2 (without oss:// prefix)

All parameters are passed via parameters, not variableValues

Step 4: Render Template and Configure Environment (CLI)

All commands in this step use shell variables MY_UID, PROJECT_NAME, BUCKET_NAME, API_KEY — make sure Step 1 and Parameter Confirmation have been executed.

First obtain the current user UID and check the role trust policy:

source scripts/setup-role.sh

Note: Use source to ensure the MY_UID variable is exported to the current shell. The script automatically checks whether the role exists and creates it if not. This role is the standard Devs role, typically auto-created when using the FC console's application feature for the first time.

4a. Render Template → Build JSON → Update Environment (all-in-one script)

The following script automatically: renders the template → filters out custom-domain → adds roleArn → calls UpdateEnvironment. The agent does not need to handle JSON manually.

bash scripts/render-and-update.sh

Key notes (built into the script — no manual handling needed):

custom-domain service is automatically filtered out (causes "Unknown service type" error)

roleArn is automatically added

Uses --body to pass data (--spec cannot correctly pass deeply nested JSON)

4b. Trigger Deployment

Built-in rate-limit protection: The script retries up to 3 times with 60-second intervals, and stops immediately on 404. Run the script directly — do not call deploy-environment manually.

bash scripts/deploy-environment.sh

Step 5: Poll Deployment Status

Deployment is asynchronous — poll until complete (typically takes 5–15 minutes). Run the following script directly:

bash scripts/poll-deploy-status.sh

Step 6: Create Custom Domain

Why is a custom domain needed? FC trigger URLs (*.fcapp.run) force a Content-Disposition: attachment response header, causing the browser to download the HTML instead of rendering it. A custom domain (*.devsapp.net) is required for the application to work properly.

Must use FC 2.0 API (aliyun fc-open) to create the helper function: FC 3.0 does not support $ in function names. The fc-open plugin will be auto-installed via the --auto-plugin-install true configuration.

Run the following complete script directly (only MY_UID and PROJECT_NAME variables need to be set):

bash scripts/create-custom-domain.sh

Step 7: Get Access URL (stop here)

The access URL is automatically printed at the end of the Step 6 script. Format:

http://${PROJECT_NAME}-web.fcv3.${MY_UID}.cn-hangzhou.fc.devsapp.net/

Stop here. Provide the access URL from Step 6 output to the user and let them experience the app on their own. Do not operate the application on behalf of the user.

⚠️ 安全提醒 — 展示访问 URL 时必须告知用户： 该 URL 可通过公网直接访问，请勿随意分享给不信任的人。未经授权的访问可能导致：

云资源被消耗： 每次访问都会消耗函数计算资源和百炼 API 调用额度，可能产生额外费用。

隐私信息泄露： 生成的动画故事、上传的图片等内容可能包含个人或敏感信息。

Cleanup

To clean up deployed resources, delete in the following order (requires PROJECT_NAME, MY_UID, BUCKET_NAME, API_KEY_ID variables):

# 1. Delete FC custom domain
aliyun fc delete-custom-domain --domain-name "${PROJECT_NAME}-web.fcv3.${MY_UID}.cn-hangzhou.fc.devsapp.net" --region cn-hangzhou --user-agent AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy

# 2. Delete Devs project (also deletes associated FC functions; --force true skips environment resource check)
aliyun devs delete-project --name "$PROJECT_NAME" --force true --user-agent AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy

# 3. Delete OSS Bucket (recursively delete all objects first, then delete the Bucket)
aliyun oss rm "oss://$BUCKET_NAME" -r -f --region cn-hangzhou --ua AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy
aliyun oss rm "oss://$BUCKET_NAME" -b -f --region cn-hangzhou --ua AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy

# 4. Delete Bailian API Key (API_KEY_ID is output during create-api-key.sh execution)
aliyun modelstudio delete-api-key --api-key-id "$API_KEY_ID" --user-agent AlibabaCloud-Agent-Skills/alibabacloud-tech-solution-animation-creation-auto-deploy

Workflow Teardown

After the workflow completes (or after Cleanup), disable AI-Mode:

aliyun configure ai-mode disable

Cannot-via-CLI/SDK Summary

See references/related-commands.md for full CLI command reference.

Key limitation: First-time activation of FC has no CLI/API support — users must activate it manually in the console.

Auto-activated: OSS service via aliyun ossadmin open-oss-service (built into Step 2). Bailian workspace via aliyun modelstudio create-workspace (built into Step 1).

Best Practices

Region is fixed to cn-hangzhou (FC and OSS in the same region)
DashScope API Key is passed via Devs template parameters — not hardcoded
OSS Bucket names include a random suffix to avoid conflicts
Record the access URL and created resources after deployment completes

Reference Links

Reference	Description
references/ram-policies.md	RAM permission policies
references/related-commands.md	CLI/SDK command reference
references/verification-method.md	Deployment verification steps
references/acceptance-criteria.md	Acceptance criteria
references/cli-installation-guide.md	CLI installation guide

Comments

Loading comments...