EdgeOne Pages Deploy
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is consistent with deploying projects to EdgeOne Pages, but it uses EdgeOne credentials, installs an external CLI, and can publish/upload your project.
Before installing or using this skill, make sure you trust the EdgeOne CLI package and the project you are deploying. Treat `.edgeone/.token` and full deployment URLs as sensitive, keep tokens out of git, and confirm the target site and deployment type before publishing.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is exposed, someone may be able to act on the user's EdgeOne account within the token's permissions.
The skill may use an EdgeOne API token with broad account authority. This is purpose-aligned for deployment, but the token is sensitive.
⚠️ Remind the user: the token has account-level permissions. Never commit it to a repository.
Use the least-privileged token available, keep it out of source control, rotate it if exposed, and save it only in trusted local projects.
Anyone who can see the full deployment URL may be able to access the deployed page while the link is valid.
The deployment URL itself contains access-related query parameters. Showing the full URL is part of the intended workflow, but it should be treated as a sensitive access link.
The `EDGEONE_DEPLOY_URL` includes `eo_token=` and `eo_time=` query parameters — they are required for access. Always output the complete URL.
Share the full deployment URL only with intended recipients and avoid pasting it into public logs or tickets.
Installing a global CLI can affect the local development environment and relies on the package source being trustworthy.
The skill instructs a global npm install of the latest EdgeOne CLI. This is expected for the deployment purpose, but it depends on an external package and is not version-pinned in the install command.
npm install -g edgeone@latest
Verify the package source and installed version before deploying, and install it only in an environment where you trust global npm tools.
Running the skill can publish project content to EdgeOne and change the user's EdgeOne Pages account state.
The deployment command can create or link an EdgeOne Pages project and publish the user's app. This is central to the skill, but it is a high-impact account action.
edgeone pages deploy -n <project-name>
Confirm the project name, target site, and whether the deployment is production or preview before proceeding.
Build scripts from the project may run on the user's machine or environment during deployment.
A deployment build may execute local project build scripts. That is normal for deployment, but users should expect local code execution before upload.
The CLI auto-detects the framework, runs the build, and uploads the output directory.
Deploy only projects whose build scripts you trust, especially when deploying code from third parties.