alibabacloud-solution-deploy

Overall, this wrapper appears intended for benign IaC operations, with no clear indicators of covert exfiltration or backdoor-like behavior. However, it contains a significant security weakness: it uses eval to execute dynamically constructed aliyun CLI commands in cmd_plan and cmd_apply while embedding raw user/file-controlled HCL into the eval string. This can enable local command injection/remote command execution in the caller’s environment if quoting boundaries are bypassed. Additionally, it writes potentially sensitive Terraform plan logs to predictable /tmp files and prints resource identifiers to terminal output, which can leak infrastructure details in CI logs.