Vefaas Cli

v1.0.6

Deploy and manage serverless applications on Volcengine veFaaS. Use when the user wants to deploy web apps, agents, skills as APIs, tool pages, webhook funct...

⭐ 1· 134·0 current·0 all-time

by@songhn233

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

Name/description, required binaries (node, npm, vefaas) and required env vars (VOLC_ACCESS_KEY_ID, VOLC_SECRET_ACCESS_KEY) all align with a cloud CLI for Volcengine veFaaS. The operations described (deploy, inspect, env set/import, pull, etc.) match the declared purpose.

ℹ

Instruction Scope

Runtime instructions stay within veFaaS CLI operations. However the documentation encourages use of debug mode and collecting ~/.vefaas/logs and debug output (which the docs say can include full request/response payloads and tokens). That creates a plausible path for sensitive data (AK/SK, tokens) to appear in logs; the SKILL.md also asserts the agent "should not read or probe for any other env vars, .env files, or credential files," which is an assertion but not enforced. In short: scope is appropriate, but be careful about debug-log collection and any agent action that would read or upload those logs.

ℹ

Install Mechanism

The SKILL.md includes an install instruction pointing to a tarball at https://vefaas-cli.tos-cn-beijing.volces.com/volcengine-vefaas-latest.tgz (and an npm i -g command). This looks like an official Volcengine distribution host (volces.com), which is reasonable for the vendor, but tarball installation is higher-risk than a vetted registry. Also: registry metadata reported 'No install spec' while the skill front-matter includes an install entry — an inconsistency you may want to confirm.

✓

Credentials

Only VOLC_ACCESS_KEY_ID and VOLC_SECRET_ACCESS_KEY are required and the primary credential is correctly declared. No unrelated credentials or system config paths are requested. The number and type of env vars are proportional to a cloud CLI.

✓

Persistence & Privilege

No always:true setting, no special OS restrictions, and no claims to modify other skills or system-wide settings. This is a normal, non-persistent, user-invocable CLI skill.

Assessment

This appears to be a legitimate veFaaS CLI skill, but take these precautions before using it: (1) Verify the tarball URL and publisher (install the CLI yourself from the vendor site if unsure); (2) Avoid asking the agent to run --debug or to collect and transmit ~/.vefaas/logs or debug.log files to third parties — those logs can contain tokens and request/response payloads; (3) Use least-privilege credentials (create a scoped service account/policy) and prefer short-lived keys where possible; (4) Be aware of the registry metadata inconsistency (SKILL.md declares an install tarball though registry listed none) — confirm the install mechanism if you plan to let the agent install the CLI automatically; (5) If you need the agent to help with troubleshooting, perform sensitive log collection manually and redact secrets before sharing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c1kj1ayb1y4mvz2zckb4yj5842px1

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npm, vefaas

EnvVOLC_ACCESS_KEY_ID, VOLC_SECRET_ACCESS_KEY

Primary envVOLC_ACCESS_KEY_ID

SKILL.md

vefaas: Volcengine FaaS CLI

vefaas is the command-line tool for Volcengine Function Service (veFaaS). It enables serverless application deployment, function management, and configuration through a streamlined workflow.

Installation

npm i -g https://vefaas-cli.tos-cn-beijing.volces.com/volcengine-vefaas-latest.tgz

Note: The domain volces.com is Volcengine (ByteDance cloud). This tarball is the official distribution channel for the CLI — not published to npm registry. Install method matches the front matter metadata.install spec.

Verify installation:

vefaas --version

Tip: vefaas -v (or vefaas --version) will print the current version and, if a newer release is available, show instructions on how to update. When a user encounters unsupported features or wants to check for updates, run this command first.

Core Workflow

The typical deployment pattern:

Check Node.js: node --version (requires >= 18, recommended 20+)
- If version is too low, switch using nvm (nvm use 20) or fnm (fnm use 20), or manually install a newer version
Check CLI: vefaas --version to verify installation
Authenticate (try in order, stop at first success):

a. Auto-check (preferred): vefaas login --check — the CLI auto-detects available credentials (Ark Skill, injected tokens, etc.). If this passes, proceed to step 4. b. SSO: vefaas login --sso — if browser is available. c. AK/SK: vefaas login --accessKey <AK> --secretKey <SK> — last resort, prompt user.
Pre-flight check (MUST do before every deploy): vefaas inspect
- framework / language correct → don't touch start command or build settings
- port wrong → fix in code (e.g., process.env.PORT || 3000), or override via --port at deploy time
- Check dependency files: ensure package.json (Node.js) or requirements.txt (Python) lists all runtime deps — the server only installs what's declared, not what's globally installed locally

Deploy:

# New app
vefaas deploy --newApp <n> --gatewayName $(vefaas run listgateways --first) --yes

# Existing app
vefaas deploy --app <n> --yes

If you need to override specific parameters that inspect got wrong (port, build command, start command, etc.), pass them directly at deploy time:

vefaas deploy \
  --newApp my-app \
  --gatewayName $(vefaas run listgateways --first) \
  --buildCommand "npm run build" \
  --outputPath dist \
  --command "node dist/index.js" \
  --port 3000 \
  --yes

Access: vefaas domains to view URLs

Quick Commands

Purpose	Command
Check version / update	`vefaas -v` (shows version and update instructions if available)
Check auth	`vefaas login --check` (preferred, auto-detects credentials)
Login (SSO)	`vefaas login --sso` (opens browser, auto-completes)
Login (AK/SK)	`vefaas login --accessKey <AK> --secretKey <SK>` (last resort)
Init from template	`vefaas init --template <n>`
Inspect project	`vefaas inspect` (run before deploy to verify detection)
Deploy new app	`vefaas deploy --newApp <n> --gatewayName $(vefaas run listgateways --first) --yes`
Deploy existing	`vefaas deploy --app <n> --yes`
List gateways	`vefaas run listgateways --first`
View URLs	`vefaas domains`
Set env var	`vefaas env set KEY VALUE`
View config	`vefaas config list`
Pull code	`vefaas pull --func <n>`

Global Options

Option	Description
`-d, --debug`	Enable debug mode for troubleshooting
`--yes`	Non-interactive mode (required for CI/AI coding)
`--region`	Region override (e.g., cn-beijing)

Cookbooks

Step-by-step guides for common scenarios:

Template Quickstart — Create and deploy from official templates
Deploy Existing Code — Deploy your existing project
Deploy an Agent — Deploy a conversational AI agent as an HTTP endpoint
Publish Skill as API — Turn an OpenClaw skill into a remote service
Generate Tool Page — Generate and deploy a shareable online tool from a natural language request
Deploy Webhook — Deploy a webhook / glue function to connect two services
Manage Functions — Manage functions (pull code, upload and deploy)

References

Detailed documentation on specific topics:

Configuration — Config files and settings
Framework Detection — Supported frameworks and auto-detection
Troubleshooting — Debug mode, common issues, and solutions

Security

Declared credentials only: This skill uses VOLC_ACCESS_KEY_ID and VOLC_SECRET_ACCESS_KEY as declared in the front matter. The agent should not read or probe for any other env vars, .env files, or credential files.
Debug output: vefaas --debug may print request/response payloads that contain tokens or secrets. Do not log, store, or surface debug output to the user unless they explicitly request troubleshooting. When sharing debug output, redact any values that look like keys, tokens, or secrets.

Important Notes

Always use --yes for non-interactive mode in CI/CD and AI coding scenarios
Use $(vefaas run listgateways --first) to get an available gateway
Config is stored in .vefaas/config.json after linking
Use --debug or -d to troubleshoot issues (see Security section for caveats)
Auth: always start with vefaas login --check — the CLI auto-detects available credentials
Always run vefaas inspect before every deploy — check framework/language detection, port, and dependency files (package.json / requirements.txt). Fix issues before deploying, not after
When a feature is unsupported or you suspect the CLI is outdated, run vefaas -v to check version and see update instructions

Files

7 total

Select a file

Select a file to preview.

Comments

Loading comments…