Marketing Site Dev
WarnAudited by ClawScan on May 17, 2026.
Overview
This skill matches its Volcengine deployment purpose, but it uses broad cloud credentials and can make persistent DNS/CDN/bucket changes, including deletions, with some under-declared and inconsistent behavior.
Install only if you truly need a Volcengine China-mainland deployment. Before running commands, use a dedicated least-privilege Volcengine key, verify the `ve` CLI source, back up DNS records, use a dedicated empty bucket, and review or fix the CDN setup script's verification flow.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command or compromised key could alter public infrastructure, DNS, certificates, or bucket contents in the user's Volcengine account.
The skill expects broad cloud account credentials capable of changing storage, CDN, DNS, and certificates, while the registry metadata says there are no required env vars or primary credential.
The Volcengine AK/SK must have permission for: `TOSFullAccess`, `CDNFullAccess`, `DNSFullAccess`, `CertificateFullAccess`.
Use a dedicated least-privilege or temporary IAM key scoped to the exact bucket, domain, DNS zone, and CDN resources; do not use broad account-level keys.
Running CDN setup could unexpectedly change DNS records and disrupt domain verification for other services or fail to configure the intended CDN path.
The script deletes `_dnsauth` TXT records that do not match the current token and uses DCDN ownership verification, while the included references say CDN verification should use `volccdnauth` and CDN APIs. This mismatch can remove unrelated verification records or fail the intended CDN setup.
const list = ve('dns', 'ListRecords', '--body', JSON.stringify({ ZID, Host: '_dnsauth', PageSize: 50 })); ... ve('dns', 'DeleteRecord', '--body', JSON.stringify({ RecordID: r.RecordID }));Review and correct the CDN verification flow before running it; back up DNS records and require explicit user approval before deleting or updating DNS records.
If the configured bucket is shared, wrong, or already contains other files, deployment can delete cloud objects the user did not intend to remove.
The default deploy behavior deletes any remote bucket object that is not present in the local `dist/` output, with no dry-run, confirmation, or prefix limit.
const toDelete = [...remote.keys()].filter((k) => !localKeys.has(k)); ... await client.deleteMultiObjects({ bucket, objects: chunk.map((Key) => ({ key: Key })), quiet: true });Use a dedicated bucket for this site, add a dry-run or confirmation step, and consider prefix-scoping deletes before running deployment against production.
A user needs a trustworthy Volcengine CLI installation because the script will invoke it with account authority.
The script runs the local `ve` CLI to manage Volcengine resources. This is expected for the skill's purpose and does not use a shell, but it depends on the trusted CLI found on PATH.
const r = spawnSync('ve', args, { encoding: 'utf8' });Install `ve` from the official source, verify PATH resolution, and run the setup commands manually rather than letting an agent run them unattended.
Future installs may pull newer package versions than the author tested.
The generated project installs npm dependencies using semver ranges rather than pinned lockfile versions. This is normal for a scaffold but leaves dependency resolution to install time.
"dependencies": { "@astrojs/react": "^5.0.5", "@tailwindcss/vite": "^4.0.0", "astro": "^6.3.3", "react": "^19.2.0" }Generate and commit a lockfile after review, and use trusted registries or dependency auditing in CI.