EdgeOne Pages Deploy
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: edgeone-pages-deploy Version: 1.0.0 The skill facilitates project deployment to Tencent EdgeOne Pages but involves several high-risk behaviors, including global installation of an NPM package (`edgeone`), writing sensitive API tokens to the local filesystem (`.edgeone/.token`), and executing shell commands for environment detection and deployment. While these actions are plausibly necessary for the stated purpose and the instructions include safety measures like user consent prompts and `.gitignore` updates, the handling of account-level secrets and broad shell access are inherently risky capabilities. The skill also explicitly instructs the agent to handle and display URLs containing authentication tokens (`eo_token`), which is a sensitive data handling practice (SKILL.md).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is exposed, someone may be able to act on the user's EdgeOne account within the token's permissions.
The skill may use an EdgeOne API token with broad account authority. This is purpose-aligned for deployment, but the token is sensitive.
⚠️ Remind the user: the token has account-level permissions. Never commit it to a repository.
Use the least-privileged token available, keep it out of source control, rotate it if exposed, and save it only in trusted local projects.
Anyone who can see the full deployment URL may be able to access the deployed page while the link is valid.
The deployment URL itself contains access-related query parameters. Showing the full URL is part of the intended workflow, but it should be treated as a sensitive access link.
The `EDGEONE_DEPLOY_URL` includes `eo_token=` and `eo_time=` query parameters — they are required for access. Always output the complete URL.
Share the full deployment URL only with intended recipients and avoid pasting it into public logs or tickets.
Installing a global CLI can affect the local development environment and relies on the package source being trustworthy.
The skill instructs a global npm install of the latest EdgeOne CLI. This is expected for the deployment purpose, but it depends on an external package and is not version-pinned in the install command.
npm install -g edgeone@latest
Verify the package source and installed version before deploying, and install it only in an environment where you trust global npm tools.
Running the skill can publish project content to EdgeOne and change the user's EdgeOne Pages account state.
The deployment command can create or link an EdgeOne Pages project and publish the user's app. This is central to the skill, but it is a high-impact account action.
edgeone pages deploy -n <project-name>
Confirm the project name, target site, and whether the deployment is production or preview before proceeding.
Build scripts from the project may run on the user's machine or environment during deployment.
A deployment build may execute local project build scripts. That is normal for deployment, but users should expect local code execution before upload.
The CLI auto-detects the framework, runs the build, and uploads the output directory.
Deploy only projects whose build scripts you trust, especially when deploying code from third parties.