Alibabacloud Dms Skill
v0.0.1Alibaba Cloud DMS Database Read/Write Skill. Use this skill to search for target databases in DMS and execute SQL queries and data modifications. Triggers: "...
⭐ 0· 22·0 current·0 all-time
byalibabacloud-skills-team@sdk-team
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to perform DMS database search and SQL execution, which legitimately requires Alibaba Cloud credentials and an authenticated aliyun CLI (or SDK). The included scripts and documentation expect configured AK/SK or other Alibaba Cloud auth, plus the aliyun CLI and jq. However, the registry metadata declares no required environment variables, no primary credential, and no required binaries — a mismatch between declared requirements and actual runtime needs.
Instruction Scope
SKILL.md and the scripts explicitly instruct the agent/operator to run local scripts that call aliyun-cli (dms-enterprise APIs). The instructions contain sensible safety checks (force/dry-run, block destructive DDL, require parameter confirmation) and explicitly warn not to print AK/SK. The runtime instructions do not reference unrelated system files or unknown external endpoints beyond Alibaba Cloud. The notable issue is that the instructions assume credentials/configuration exist but the skill metadata does not surface that requirement.
Install Mechanism
There is no install spec (instruction-only), which reduces supply-chain risk. The package does include two executable shell scripts that will be run locally. Dependencies (aliyun-cli, jq) are required by the scripts and documented in references, but those required binaries are not declared in the registry metadata. No remote download/install URLs are embedded in the skill files.
Credentials
The runtime expects Alibaba Cloud credentials (AK/SK, STS tokens, or profile via aliyun configure) and may use environment variables or ~/.aliyun/config.json, but the registry metadata declares no required environment variables or primary credential. That omission is disproportionate and risky — users may be unaware the skill will use cloud credentials, and metadata should explicitly list required creds and the primaryEnv. The skill's references also suggest environment variables like ALIBABA_CLOUD_ACCESS_KEY_ID which are not surfaced in metadata.
Persistence & Privilege
The skill does not request always:true, does not modify other skills' configs, and does not create persistent resources. It runs ephemeral CLI calls against Alibaba Cloud DMS and returns results. No persistent system-wide privileges are requested in the files.
What to consider before installing
This skill appears to be what it says (it searches DMS and runs SQL), but the registry metadata omits critical runtime requirements. Before installing or running it: 1) Confirm the skill's source and trust the maintainer; 2) Require the publisher to update metadata to declare required binaries (aliyun-cli, jq) and the primary credential(s) (ALIBABA_CLOUD_ACCESS_KEY_ID / _SECRET or note reliance on aliyun configured profiles); 3) Test in a safe environment first (non-production account or read-only IAM policy); 4) Prefer least-privilege RAM policies (restrict dms:ExecuteScript to specific DB IDs and SELECT-only if possible); 5) Never paste AK/SK into chat — configure them locally (aliyun configure) or use temporary STS tokens/ECS RAM roles; 6) Inspect the included scripts yourself (they are small and readable) and run them manually to confirm behavior before giving any agent autonomous access. If the publisher cannot or will not correct the metadata mismatch, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Alibaba Cloud DMS Database Read/Write
Search for target databases and execute SQL queries and data modifications via Alibaba Cloud DMS OpenAPI.
Scenario Description
This skill implements the following workflow:
- Search Target Database — Search databases by keyword to get Database ID
- Execute SQL Query — Execute SQL statements on the target database
Architecture
User Request → Search Database → Get Database ID → Execute SQL → Return Results
Prerequisites
Pre-check: Aliyun CLI >= 3.3.1 required Run
aliyun versionto verify >= 3.3.1. If not installed or version too low, seereferences/cli-installation-guide.mdfor installation instructions. Then [MUST] runaliyun configure set --auto-plugin-install trueto enable automatic plugin installation.
- Aliyun CLI >= 3.3.1
- jq (for JSON parsing):
brew install jq - Credentials configured via
aliyun configure
Pre-check: Alibaba Cloud Credentials Required
Security Rules:
- NEVER read, echo, or print AK/SK values (e.g.,
echo $ALIBABA_CLOUD_ACCESS_KEY_IDis FORBIDDEN)- NEVER ask the user to input AK/SK directly in the conversation or command line
- NEVER use
aliyun configure setwith literal credential values- ONLY use
aliyun configure listto check credential statusaliyun configure listCheck the output for a valid profile (AK, STS, or OAuth identity).
If no valid profile exists, STOP here.
- Obtain credentials from Alibaba Cloud Console
- Configure credentials outside of this session (via
aliyun configurein terminal or environment variables in shell profile)- Return and re-run after
aliyun configure listshows a valid profile
RAM Permissions
[MUST] RAM Permission Pre-check: Verify that the current user has the following RAM permissions before execution. See
references/ram-policies.mdfor the complete permission list.
Parameter Confirmation
IMPORTANT: Parameter Confirmation — Before executing any command or API call, ALL user-customizable parameters (e.g., database keyword, SQL statement, db-id, etc.) MUST be confirmed with the user. Do NOT assume or use default values without explicit user approval.
| Parameter | Required/Optional | Description | Default |
|---|---|---|---|
| keyword | Required | Database search keyword (1-128 chars, alphanumeric) | - |
| db-id | Required | Database ID (positive integer, obtained from search) | - |
| sql | Required | SQL statement to execute (1-10000 chars) | - |
| logic | Optional | Whether to use logic database mode | false |
| force | Optional | Confirm write operations (INSERT/UPDATE/DELETE) | false |
| dry-run | Optional | Preview write operations without executing | false |
Core Workflow
Task 1: Search Target Database
Search for databases by keyword to get the Database ID:
./scripts/search_database.sh <keyword> --json
Example:
# Search for databases containing "mydb"
./scripts/search_database.sh mydb --json
The output includes database_id, schema_name, db_type, host, port, etc.
Task 2: Execute SQL Query
Execute SQL using the Database ID obtained in the previous step:
./scripts/execute_query.sh --db-id <database_id> --sql "<SQL_statement>"
Write Operation Protection
For write operations (INSERT/UPDATE/DELETE), the script implements protective pre-check:
| Parameter | Description |
|---|---|
--force | Required to confirm and execute write operations |
--dry-run | Preview write operations without executing |
DDL Operations (DROP/TRUNCATE/ALTER/RENAME) are completely blocked — these must be executed via DMS Console.
Examples:
# Read operations (no confirmation needed)
./scripts/execute_query.sh --db-id 78059000 --sql "SHOW TABLES"
./scripts/execute_query.sh --db-id 78059000 --sql "SELECT * FROM users LIMIT 10" --json
# Write operations - preview first (recommended)
./scripts/execute_query.sh --db-id 78059000 --sql "INSERT INTO users (name) VALUES ('test')" --dry-run
# Write operations - execute with confirmation
./scripts/execute_query.sh --db-id 78059000 --sql "INSERT INTO users (name) VALUES ('test')" --force
./scripts/execute_query.sh --db-id 78059000 --sql "UPDATE users SET name='test' WHERE id=1" --force
./scripts/execute_query.sh --db-id 78059000 --sql "DELETE FROM users WHERE id=1" --force
# Logic database mode
./scripts/execute_query.sh --db-id 78059000 --sql "SELECT 1" --logic
Complete Example
# 1. Search database (assuming searching for "order")
./scripts/search_database.sh order --json
# Example output:
# [{"DatabaseId": "78059000", "SchemaName": "order_db", ...}]
# 2. Execute query
./scripts/execute_query.sh --db-id 78059000 --sql "SELECT COUNT(*) FROM orders"
Success Verification
After executing SQL, check the returned results:
- Script return code is 0
- Output contains query results (column names and row data)
- No error messages
# Verify query success
./scripts/execute_query.sh --db-id <db-id> --sql "SELECT 1" --json
# Expected output: [{"Success": true, "RowCount": 1, ...}]
Cleanup
This skill performs read and write operations but does not create persistent resources. No cleanup is required.
Write Operation Safety
| Operation Type | Behavior |
|---|---|
| SELECT / SHOW / DESC | Execute directly |
| INSERT / UPDATE / DELETE | Require --force or --dry-run |
| DROP / TRUNCATE / ALTER / RENAME | Blocked — use DMS Console |
Available Scripts
| Script | Description |
|---|---|
scripts/search_database.sh | Search databases by keyword |
scripts/execute_query.sh | Execute SQL queries |
Note: Scripts use aliyun-cli credentials configured via
aliyun configure.
Best Practices
- Confirm database — Verify the target database before executing SQL
- Use --json parameter — Facilitates programmatic processing of output
- Preview write operations — Always use
--dry-runfirst for INSERT/UPDATE/DELETE - Explicit confirmation — Use
--forceonly after reviewing the preview - Avoid DDL operations — DROP/TRUNCATE/ALTER/RENAME are blocked; use DMS Console instead
Reference Links
| Document | Description |
|---|---|
| references/cli-installation-guide.md | CLI Installation Guide |
| references/ram-policies.md | RAM Permission Policies |
| references/related-apis.md | Related API List |
| references/acceptance-criteria.md | Acceptance Criteria |
Files
7 totalSelect a file
Select a file to preview.
Comments
Loading comments…