Vefaas Cli
ReviewAudited by ClawScan on May 18, 2026.
Overview
This is a coherent Volcengine deployment helper, but it uses cloud credentials, a remote CLI install, and non-interactive deployment commands that users should handle carefully.
Install this only if you trust the Volcengine CLI source. Use dedicated least-privilege credentials, confirm the target app/function before any --yes deploy or env change, keep .vefaasignore configured to avoid uploading secrets, and redact or delete debug logs that may contain sensitive cloud data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command could publish or update the wrong serverless application without an interactive CLI prompt.
The skill gives the agent access to the veFaaS CLI and documents non-interactive cloud deployment commands. This matches the stated purpose, but it can create or update deployed services.
allowed-tools: Bash(vefaas:*) ... vefaas deploy --newApp <n> --gatewayName $(vefaas run listgateways --first) --yes ... vefaas deploy --app <n> --yes
Before deploy, confirm the target app/function, region, gateway, and whether --yes is appropriate; prefer reviewing inspect output first.
The agent may be able to view or change cloud function configuration and secrets under the privileges of the supplied account.
The skill expects authenticated Volcengine access and documents commands that can read function environment variables, which may include secrets.
Prerequisites ... Valid credentials (AKSK/SSO) ... vefaas env list ... DATABASE_URL=postgres://... API_KEY=xxx ... vefaas env get DATABASE_URL
Use a dedicated least-privilege Volcengine identity, avoid printing secrets unless necessary, and redact environment-variable output before sharing logs or transcripts.
You rely on the remote CLI distribution and whatever version latest resolves to at install time.
The documented install path uses a global npm install from a remote latest tarball rather than reviewed code included with the skill.
npm i -g https://vefaas-cli.tos-cn-beijing.volces.com/volcengine-vefaas-latest.tgz
Install only if you trust the Volcengine distribution source; consider pinning a known version or verifying checksums/signatures when available.
Debug logs could expose tokens, URLs, configuration, or other sensitive cloud data if copied into chat, tickets, or shared files.
Troubleshooting mode persists detailed API response data locally, which may include sensitive deployment or account information.
Debug logs are automatically saved to files: ~/.vefaas/logs/YYYYMMDD-HHMMSS.txt ... Log files contain full JSON response data
Use debug mode only when needed, review and redact logs before sharing, and delete old logs that contain sensitive data.