Alibabacloud Flink Instance Manage

v0.0.2

Manage Alibaba Cloud Flink VVP instances and namespaces through create/query operations only. Use when user asks to create or query Flink instances, namespac...

⭐ 0· 25·0 current·0 all-time

byalibabacloud-skills-team@sdk-team

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

high confidence

!

Purpose & Capability

The skill claims to manage Alibaba Cloud Flink instances (create/query) which legitimately requires Alibaba Cloud credentials and the Alibaba Cloud SDK; however the registry metadata declares no required environment variables or primary credential. The code bundle includes Alibaba Cloud SDKs in assets/requirements.txt and Python scripts that will call the OpenAPI, so the declared requirements are incomplete and inconsistent with the actual capability.

!

Instruction Scope

Runtime instructions require running python scripts (scripts/instance_ops.py) and explicitly require valid Alibaba Cloud credentials and network access to Flink OpenAPI. The docs also reference using the default credential chain and ~/.aliyun/config.json and environment variables (ALIBABA_CLOUD_*). The manifest did not declare these config/credential accesses. While the SKILL.md prohibits outputting plaintext AK/SK, the instructions inherently depend on credentials and config files that contain secrets.

ℹ

Install Mechanism

There is no formal install spec in the registry (instruction-only), but SKILL.md and python-environment docs instruct installing dependencies with pip using assets/requirements.txt (alibabacloud SDK packages from PyPI). Installing third-party packages is expected for this SDK-based tool but is a non-trivial action (networked package installation). The lack of an explicit install step in the manifest is an omission and increases the chance operators will miss the dependency/permission impact.

!

Credentials

The skill will need Alibaba Cloud credentials (AK/SK, STS token, or ECS RAM role) and may read credential sources such as environment variables or ~/.aliyun/config.json, but the registry declares no required env vars or primary credential. That is disproportionate/inconsistent. The docs provide many examples showing credential use and CLI configuration — sensitive data will be accessed unless you use a RAM role or temporary credentials. The skill requests no unrelated third-party secrets, but it does implicitly require access to credential stores that contain secrets.

✓

Persistence & Privilege

The skill does not request always:true and is user-invocable only. There is no evidence it modifies other skills or requests persistent system-wide privileges. Its runtime behavior appears limited to calling Alibaba Cloud OpenAPI via provided scripts.

What to consider before installing

This skill appears to implement what it claims (Flink instance create/query) but the package metadata is incomplete and that creates risk. Before installing or running: 1) Review the Python scripts (especially scripts/instance_ops.py) to confirm there are no unexpected network endpoints, telemetry, or file exfiltration. 2) Expect to supply Alibaba Cloud credentials: prefer temporary STS tokens or an ECS RAM role with least-privilege policies, not long-lived root keys. 3) Do not run pip install blindly — inspect assets/requirements.txt and vet the SDK packages. 4) Run the tool in an isolated environment (or sandbox) the first time and avoid exposing your main credential store; consider creating a dedicated RAM user with minimal permissions for testing. 5) Ask the publisher to correct the skill metadata to declare required env vars/primary credential and to provide a clear install spec. If you cannot review the scripts, treat this skill as risky and avoid providing production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk974c4yngss9h1qc5qrhjc8kh5843bdd

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Alibaba Cloud Flink Instance Manage

Operate Alibaba Cloud Flink VVP resources with a strict create/query scope through one wrapper script.

Scope and Entrypoint

Always run operations through:

python scripts/instance_ops.py <command> [options]

Allowed commands: create, create_namespace, describe, describe_regions, describe_zones, describe_namespaces, list_tags
Out of scope: update/delete, Flink SQL/job runtime operations, and non-Flink services

Trigger Rules

Use this skill when prompts are about Flink instance/namespace lifecycle operations.

Positive intent examples:
- "Create a Flink instance in cn-beijing"
- "List Flink instances and status"
- "Describe namespaces for instance f-cn-xxx"
- "查询 Flink 实例标签"
- "Flink 可用区有哪些"
Negative intent examples:
- ECS/Kafka/OSS/DataWorks operations
- Generic questions (weather, translation, etc.)
- Flink SQL / Flink job authoring or runtime tuning
Ambiguous prompts:
- Ask one clarification question: instance/namespace management vs SQL/job operations.

Intent to Command Mapping

User intent	Command
Query all instances in a region	`describe --region_id <REGION>`
Create instance	`create ... --confirm`
Query namespaces under an instance	`describe_namespaces --region_id <REGION> --instance_id <ID>`
Create namespace	`create_namespace ... --confirm`
Query supported regions/zones	`describe_regions` / `describe_zones --region_id <REGION>`
Query tags	`list_tags --region_id <REGION> --resource_type <TYPE> [--resource_ids ...]`

Operating Rules

Confirmation is mandatory for create commands
- create and create_namespace must include --confirm.
Verify create results with read-back
- Do not conclude success from create response alone.
Retry policy is strict
- Maximum 2 attempts for the same command (initial + one corrected retry).
No automatic operation switching
- If an operation fails, do not switch to a different operation without user approval.
Lifecycle target lock
- In create -> create_namespace flow, namespace must target the same newly created InstanceId unless user approves fallback.
Namespace pre-check is required
- Before create_namespace, check instance status/resources and existing namespace allocation.
No secret exposure
- Do not output or request plaintext AK/SK. Use default credential chain guidance.
Do not invent parameters
- Never fabricate VPC/VSwitch/instance IDs.
Keep auditable confirmation evidence
- Lifecycle outputs must contain SafetyCheckRequired or explicit --confirm evidence.
No partial-completion claims for lifecycle flows

For flows requiring both create and create_namespace, overall status can be completed only when both create operations succeed.

No automatic capacity scaling

If create_namespace fails due to insufficient resources, report it clearly and ask user to manually scale resources outside this skill scope.

Execution Protocol

Step 1: Classify request

In-scope create/query for Flink instance/namespace/tag/region/zone -> continue.
Out-of-scope or non-Flink -> reject or route with explanation.

Step 2: Validate parameters

Apply references/parameter-validation.md.
If required parameters are missing, ask user or return clear remediation.

Step 3: Execute command

Query commands: run once unless transient query error.
Create commands: construct final command string and verify --confirm is present before execution.

Step 4: Verify create outcomes

For create: verify with describe --region_id <REGION>.
For create_namespace: verify with describe_namespaces --region_id <REGION> --instance_id <ID>.
Use up to 3 read checks with short backoff before concluding the create is not reflected yet.
For chained create -> create_namespace:
- poll describe --region_id <REGION> on the same InstanceId every 30 seconds
- max wait: 10 minutes
- if still not RUNNING, stop and provide next action (wait/retry later)
- do not switch to another instance without explicit user approval
- if namespace create fails, mark lifecycle chain as failed/not_ready, not completed
- for InsufficientResources, ask user to manually scale the instance and retry later

Key References

Start here:
- references/README.md
- references/quick-start.md
- references/trigger-recognition-guide.md
- references/core-execution-flow.md
- references/command-templates.md

Document	Purpose
`references/parameter-validation.md`	Pre-execution validation checklist
`references/e2e-playbooks.md`	Complete execution sequences
`references/common-failures.md`	Typical mistakes and fixes
`references/required-confirmation-model.md`	Confirmation gate rules
`references/instance-state-management.md`	Instance state and readiness checks
`references/output-handling.md`	Output parsing and retry policy
`references/verification-method.md`	Verification patterns after create/query
`references/acceptance-criteria.md`	Completion checklist for normal operations
`references/python-environment-setup.md`	Python dependency and auth setup
`references/cli-installation-guide.md`	Aliyun CLI diagnostics setup
`references/ram-policies.md`	Required RAM permissions
`references/related-apis.md`	API and command mapping

Output Format

All commands return JSON:

{
  "success": true,
  "operation": "<command>",
  "confirmation_check": {
    "required_flag": "--confirm",
    "provided": true,
    "status": "passed"
  },
  "data": {},
  "request_id": "..."
}

confirmation_check appears on create operations and is used for auditable safety evidence.

Exit codes: 0 = success, 1 = error.

Files

22 total

Select a file

Select a file to preview.

Comments

Loading comments…