ClawHub

Vefaas Cli

v1.0.6

Deploy and manage serverless applications on Volcengine veFaaS. Use when the user wants to deploy web apps, agents, skills as APIs, tool pages, webhook funct...

2· 168·0 current·0 all-time
by@songhn233
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, required binaries (node, npm, vefaas) and required env vars (VOLC_ACCESS_KEY_ID, VOLC_SECRET_ACCESS_KEY) all align with a cloud CLI for Volcengine veFaaS. The operations described (deploy, inspect, env set/import, pull, etc.) match the declared purpose.
Instruction Scope
Runtime instructions stay within veFaaS CLI operations. However the documentation encourages use of debug mode and collecting ~/.vefaas/logs and debug output (which the docs say can include full request/response payloads and tokens). That creates a plausible path for sensitive data (AK/SK, tokens) to appear in logs; the SKILL.md also asserts the agent "should not read or probe for any other env vars, .env files, or credential files," which is an assertion but not enforced. In short: scope is appropriate, but be careful about debug-log collection and any agent action that would read or upload those logs.
Install Mechanism
The SKILL.md includes an install instruction pointing to a tarball at https://vefaas-cli.tos-cn-beijing.volces.com/volcengine-vefaas-latest.tgz (and an npm i -g command). This looks like an official Volcengine distribution host (volces.com), which is reasonable for the vendor, but tarball installation is higher-risk than a vetted registry. Also: registry metadata reported 'No install spec' while the skill front-matter includes an install entry — an inconsistency you may want to confirm.
Credentials
Only VOLC_ACCESS_KEY_ID and VOLC_SECRET_ACCESS_KEY are required and the primary credential is correctly declared. No unrelated credentials or system config paths are requested. The number and type of env vars are proportional to a cloud CLI.
Persistence & Privilege
No always:true setting, no special OS restrictions, and no claims to modify other skills or system-wide settings. This is a normal, non-persistent, user-invocable CLI skill.
Assessment
This appears to be a legitimate veFaaS CLI skill, but take these precautions before using it: (1) Verify the tarball URL and publisher (install the CLI yourself from the vendor site if unsure); (2) Avoid asking the agent to run --debug or to collect and transmit ~/.vefaas/logs or debug.log files to third parties — those logs can contain tokens and request/response payloads; (3) Use least-privilege credentials (create a scoped service account/policy) and prefer short-lived keys where possible; (4) Be aware of the registry metadata inconsistency (SKILL.md declares an install tarball though registry listed none) — confirm the install mechanism if you plan to let the agent install the CLI automatically; (5) If you need the agent to help with troubleshooting, perform sensitive log collection manually and redact secrets before sharing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c1kj1ayb1y4mvz2zckb4yj5842px1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npm, vefaas
EnvVOLC_ACCESS_KEY_ID, VOLC_SECRET_ACCESS_KEY
Primary envVOLC_ACCESS_KEY_ID

Comments