Alibabacloud Odps Project Manage

Alibaba Cloud MaxCompute Project Management Skill. Use for creating, querying, listing, and deleting MaxCompute projects. Triggers: "maxcompute project", "od...

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 9 · 0 current installs · 0 all-time installs

byalibabacloud-skills-team@sdk-team

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The skill is an instruction-only MaxCompute project manager that instructs the agent to run ali yun CLI commands (aliyun maxcompute ...). However the declared requirements list no required binary and no required environment variables/credentials. Real usage requires the 'aliyun' CLI (version checks are referenced) and valid Alibaba Cloud credentials or an ECS RAM role. The manifest failing to declare these runtime needs is an incoherence: either the skill assumes the runtime already has the CLI and credentials (not stated), or the manifest is incomplete.

Instruction Scope

SKILL.md is prescriptive and instructs executing aliyun CLI commands that will implicitly use local credentials (config file, environment vars, or instance role). The doc explicitly forbids reading/echoing AK/SK, yet other included docs reference ~/.aliyun/config.json and environment variables as credential sources. The skill gives the agent broad discretion to execute commands on the host and to inspect API responses—this is expected for a CLI-based integration but carries risk if the agent runtime has access to sensitive config files. The instructions are otherwise narrow (create/list/get/delete) and specify strict flags (e.g., --user-agent), but the mismatch about credential access/read rules is notable.

ℹ

Install Mechanism

No install spec is provided (instruction-only), so the skill itself writes no files. The included references provide official aliyun CLI download URLs (aliyuncli.alicdn.com) and Homebrew instructions — those are reasonable sources. Because installation is external to the skill, there is low install-supply-chain risk from the skill bundle itself, but the runtime still requires the external CLI to be present.

Credentials

The skill requires RAM permissions and will only function with Alibaba Cloud credentials or an ECS role (the docs even list ALIBABA_CLOUD_ACCESS_KEY_ID, etc.), yet requires.env and primary credential fields are empty. That omission is disproportionate: sensitive credentials are necessary for the stated functionality but are not declared, explained, or bounded in the manifest. The references suggest broad permissions (odps:CreateProject, DeleteProject, ListQuotas), so callers should be careful to grant least privilege.

✓

Persistence & Privilege

The skill is not always-enabled and does not request persistent/config changes in the manifest. It is user-invocable and allows normal autonomous invocation. There is no install-time privilege escalation requested by the skill bundle itself.

Scan Findings in Context

[no-regex-findings] unexpected: The regex-based scanner reported no findings because this is an instruction-only skill with no code files. That absence is not evidence of safety—SKILL.md contains actionable CLI commands that the scanner could not evaluate.

What to consider before installing

This skill will run ali yun CLI commands to manage MaxCompute projects, but the manifest doesn't declare that the ali yun CLI binary or Alibaba Cloud credentials are required—that mismatch is the main risk. Before installing or enabling the skill: (1) Confirm where the agent will execute commands (your local machine, a hosted runtime, or container) and whether that environment already has the ali yun CLI (>=3.3.1) installed. (2) Confirm how credentials will be provided: prefer ECS RAM roles or a narrowly scoped RAM user with only the listed odps actions; do not provide root account keys. (3) Ask the skill author/maintainer to update the manifest to declare required binaries and credential environment variables explicitly. (4) Test the skill in an isolated/account with limited privileges first (dev account or sandbox) to ensure it behaves as documented and does not attempt to read or exfiltrate credential files (e.g., ~/.aliyun/config.json). (5) If you cannot verify the runtime sandboxing or credential handling, avoid granting this skill access to production credentials.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.0.1

Download zip

latestvk97b8d3czjsxbgma0p5mr3g22x8417sb

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

MaxCompute Project Management

Manage Alibaba Cloud MaxCompute (ODPS) Projects including creation, querying, listing, and deletion operations.

Quick Start

When user asks about MaxCompute projects, follow these steps:

Identify intent: create / list / get / delete
Get RegionId: Ask user which region (e.g., cn-hangzhou, cn-shanghai)
Execute: Run the appropriate command with --region {REGION_ID} and --user-agent AlibabaCloud-Agent-Skills
Verify: Confirm the result and report to user

Pre-flight Checklist (Execute BEFORE every command)

You MUST verify ALL of these before running any command:

I have asked the user for RegionId (not using default)
I have the actual RegionId value from user (not placeholder)
My command includes --region {ACTUAL_REGION_ID}
My command includes --user-agent AlibabaCloud-Agent-Skills
I am NOT reading or echoing any AK/SK values
I am NOT using hardcoded values for user-provided parameters

If ANY check fails, STOP and fix before proceeding.

Task Completion Checklist

CRITICAL: You MUST complete ALL steps in order. Do NOT stop early.

For LIST Projects:

Ask user: "Which region would you like to query? (e.g., cn-hangzhou, cn-shanghai)"
Ask user: "Which quota nickname to filter by? (e.g., os_PayAsYouGoQuota, or press Enter for default)"
MUST use quota-nick-name parameter:
- If user specified a quota: Use --quota-nick-name={USER_QUOTA}
- If user didn't specify: Use --quota-nick-name=os_PayAsYouGo

Execute with REQUIRED parameters:

aliyun maxcompute list-projects --region {REGION_ID} --quota-nick-name={QUOTA_NICKNAME} --max-item=20 --user-agent AlibabaCloud-Agent-Skills

Wait for command output
If 400 error (quota not found):
- Call aliyun maxcompute list-quotas --billing-type ALL --region {REGION_ID} --user-agent AlibabaCloud-Agent-Skills
- Present available quotas to user for selection
- Re-run ListProjects with user-selected quota
Parse response and present results
Confirm task completion

FORBIDDEN:

❌ Use --marker for pagination
❌ Fetch all projects then filter locally with Python/jq
❌ Call API without --quota-nick-name parameter

REQUIRED:

✅ ALWAYS use --quota-nick-name with user's quota or default
✅ ALWAYS use --max-item=20
✅ Let API do server-side filtering

For GET Project:

Ask user: "Which region? (e.g., cn-hangzhou)"
Ask user: "What is the project name?"
Execute: aliyun maxcompute get-project --region {REGION_ID} --project-name {PROJECT_NAME} --user-agent AlibabaCloud-Agent-Skills
Wait for command output
Parse the JSON response - look for data.name, data.status, data.owner
Present project details to user in a clear format
Confirm task completion to user

For CREATE Project:

Ask user: "Which region to create in? (e.g., cn-hangzhou)"
Ask user: "What is the project name?"
MANDATORY VALIDATION: If project name is empty or whitespace, STOP and ask user again: "Project name cannot be empty. Please provide a valid project name."
CRITICAL: Store the user's exact project name - do NOT use placeholder text
MUST call ListQuotas: Execute: aliyun maxcompute list-quotas --billing-type ALL --region {REGION_ID} --user-agent AlibabaCloud-Agent-Skills
Wait for command output
Parse ListQuotas response: Find a quota with nickName and its secondary quotas (look in data.quotas[].subQuotas or similar)
STRICT VALIDATION: Select a secondary quota's nickName from the ListQuotas response (NOT the primary quota)
TRIM WHITESPACE: Remove any leading/trailing spaces from the quota nickName. If nickName contains internal spaces, trim them or select a different quota
PRE-FLIGHT CHECK: Verify you have actual values for REGION_ID, PROJECT_NAME, and SECONDARY_QUOTA_NICKNAME (trimmed, no spaces)
Ask for typeSystem (optional): "Which typeSystem? (1=MaxCompute, 2=MaxCompute2, hive=Hive compatible; default: 2)"
Validate typeSystem: Must be "1", "2", or "hive". If not specified or invalid, use default "2"

Execute create command with ACTUAL values:

aliyun maxcompute create-project --region {ACTUAL_REGION} --body '{"name":"ACTUAL_PROJECT_NAME","defaultQuota":"SECONDARY_QUOTA_NICKNAME","productType":"payasyougo","typeSystem":"TYPE_SYSTEM_VALUE"}' --user-agent AlibabaCloud-Agent-Skills

Example with real values:

aliyun maxcompute create-project --region cn-hangzhou --body '{"name":"my-project-123","defaultQuota":"os_PayAsYouGoQuota_sub","productType":"payasyougo","typeSystem":"2"}' --user-agent AlibabaCloud-Agent-Skills

Wait for command output
CHECK CREATE RESPONSE: If create command returned error (non-2xx), STOP and report error to user. Do NOT proceed to verification.
ONLY IF create succeeded: Verify by executing: aliyun maxcompute get-project --region {REGION_ID} --project-name {PROJECT_NAME} --user-agent AlibabaCloud-Agent-Skills
CRITICAL: Verify the response contains the CORRECT project name (the one user requested, not a different project)
CHECK STATUS: Verify response contains "status":"AVAILABLE"
If verification returns 403/Access Denied: Inform user about permission requirements and stop
If project not found: Report "Project creation failed - project not found after creation"
If wrong project returned: Report error - do not use a different project as substitute
ONLY IF all checks pass: Confirm to user: "Project {PROJECT_NAME} created successfully with status AVAILABLE"

For DELETE Project:

NOTE: Project deletion is NOT supported by this skill.

If user requests deletion, respond: "Project deletion is not supported. Please use the Alibaba Cloud Console or contact your administrator."

Common Errors & Solutions

Error	Cause	Solution
`ProjectNotFound`	Project doesn't exist	Check project name spelling and region
`ProjectAlreadyExist`	Name taken	Ask user for a different project name
`get project default quota error`	No valid quota	Run list-quotas first, ensure quota exists
`InvalidProjectName`	Bad naming format	Use only lowercase, numbers, underscores (3-28 chars)
`NoPermission` or `403 Access Denied`	RAM permission issue	Inform user: "You need odps:ListQuotas, odps:CreateProject and odps:GetProject permissions. Please contact your administrator."
`RegionId required`	Missing --region	Always add `--region {REGION_ID}` to commands
`ODPS-0420095: Access Denied`	Missing read privilege	Inform user about required permissions and stop

Forbidden Actions

CRITICAL: Never do these:

NEVER read/echo AK/SK values (e.g., echo $ALIBABA_CLOUD_ACCESS_KEY_ID)

NEVER use hardcoded values — always ask user for parameters, then use their ACTUAL answer (not placeholder text)

NEVER use aliyun configure set with literal credential values

NEVER run aliyun ram commands

NEVER execute ANY command without --user-agent AlibabaCloud-Agent-Skills

NEVER skip asking for RegionId — this is ALWAYS required

NEVER assume a default region — always ask the user

NEVER use deprecated API format CreateProject — ALWAYS use plugin format create-project (lowercase with hyphen)

NEVER execute aliyun maxcompute delete-project — project deletion is NOT supported by this skill

Negative Examples

❌ WRONG	✅ CORRECT
`aliyun maxcompute CreateProject` (deprecated)	`aliyun maxcompute create-project` (lowercase)
`'{"name":"{PROJECT_NAME}"}'` (placeholder)	`'{"name":"actual-name"}'` (actual value)
`--region cn-hangzhou` (hardcoded)	Ask user first, then use their answer
Missing `--user-agent`	Must include `--user-agent AlibabaCloud-Agent-Skills`
`echo $ALIBABA_CLOUD_ACCESS_KEY_ID`	Never read/display credentials
`aliyun ram ...` commands	RAM commands are outside scope
`aliyun maxcompute delete-project`	Project deletion is NOT supported
Verify different project on failure	Report failure, don't substitute

Architecture

MaxCompute Service
    └── Project (Workspace)
          ├── defaultQuota (Compute Resource - MUST exist before project creation)
          ├── productType (payasyougo/subscription)
          └── typeSystem ("1", "2", or "hive"; default: "2")

Dependencies

Prerequisite: Quota must exist before creating a project.

Every MaxCompute project requires a compute quota (defaultQuota). The quota must already exist in your account — if it does not, the create-project call will fail with get project default quota error.

Use the alibabacloud-odps-quota-manage skill to create or query quotas:

Pay-as-you-go: aliyun maxcompute CreateQuota --chargeType payasyougo --commodityCode odps --region <region> --user-agent AlibabaCloud-Agent-Skills

Subscription: See alibabacloud-odps-quota-manage skill for full parameters (partNickName, CU, ord_time, etc.)

List existing quotas: aliyun maxcompute list-quotas --billing-type ALL --region <region> --user-agent AlibabaCloud-Agent-Skills

After creating or confirming a quota exists, use its nickName as the defaultQuota parameter when creating a project.

Installation

Pre-check: Aliyun CLI >= 3.3.1 required Run aliyun version to verify >= 3.3.1. If not installed or version too low, see references/cli-installation-guide.md for installation instructions. Then [MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.

# Install Alibaba Cloud CLI (with 60s timeout)
curl -fsSL --max-time 60 https://aliyuncli.alicdn.com/install.sh | bash

# Verify version (must be >= 3.3.1)
aliyun version

# Enable auto plugin installation
aliyun configure set --auto-plugin-install true

Environment Variables

No additional environment variables required beyond standard Alibaba Cloud credentials.

Authentication

CRITICAL: You MUST check credentials before ANY operation.

Allowed Credential Check (ONLY this command):

aliyun configure list

What to look for:

Output shows at least one profile with mode: AK or mode: StsToken
Profile shows access_key_id: ******** (masked is OK)

If NO valid profile:

Tell user: "Please run aliyun configure to set up credentials first."
STOP - Do not proceed with any MaxCompute commands

FORBIDDEN - NEVER do these:

❌ echo $ALIBABA_CLOUD_ACCESS_KEY_ID
❌ echo $ALIBABA_CLOUD_ACCESS_KEY_SECRET
❌ aliyun configure get | grep access-key
❌ Any command that displays actual credential values

RAM Policy

[MUST] RAM Permission Pre-check: Before executing the workflow, verify that the current user has the required permissions.

Required permissions are listed in references/ram-policies.md.

Note: You do NOT need to verify RAM permissions via CLI commands. The permissions listed in ram-policies.md are for user reference only. Proceed with the workflow assuming the user has configured appropriate permissions.

Parameters

Always ask user for these values — never assume defaults:

Parameter	Required	Description
`RegionId`	Yes	Region ID (cn-hangzhou, cn-shanghai, etc.)
`projectName`	Yes	Project name
`quotaNickName`	For create	Quota alias (get from list-quotas)

Example Conversation

LIST: User asks → Agent requests RegionId → Agent executes list-projects → Agent presents results

CREATE: User asks → Agent requests RegionId → Agent requests projectName → Agent calls list-quotas → Agent creates project → Agent verifies → Agent confirms success

Commands

List Projects

# Ask user for quota nickname first, then:
aliyun maxcompute list-projects --region {REGION_ID} --quota-nick-name={QUOTA_NICKNAME} --max-item=20 --user-agent AlibabaCloud-Agent-Skills

MUST: Always use --quota-nick-name parameter (user-specified or default). Never fetch all and filter locally.

Get Project

aliyun maxcompute get-project --region {REGION_ID} --project-name {PROJECT_NAME} --user-agent AlibabaCloud-Agent-Skills

Create Project

List quotas first:

aliyun maxcompute list-quotas --billing-type ALL --region {REGION_ID} --user-agent AlibabaCloud-Agent-Skills

Create with quota nickName from response:

aliyun maxcompute create-project --region {REGION_ID} --body '{"name":"{PROJECT_NAME}","defaultQuota":"{QUOTA_NICKNAME}","productType":"payasyougo"}' --user-agent AlibabaCloud-Agent-Skills

Delete Project

aliyun maxcompute delete-project --region {REGION_ID} --project-name {PROJECT_NAME} --user-agent AlibabaCloud-Agent-Skills

Success Verification Method

See references/verification-method.md for detailed verification steps.

Verification Command:

aliyun maxcompute get-project --region {REGION_ID} --project-name {PROJECT_NAME} --user-agent AlibabaCloud-Agent-Skills

Success Criteria:

Response contains "status":"AVAILABLE"
Response contains correct "name" matching the created project
Response contains correct "defaultQuota" matching the specified quota

If verification fails:

Check error message for specific issue
Report failure reason to user
Suggest corrective action based on error type

Cleanup

⚠️ DANGER: Deleting a project will permanently remove ALL data and CANNOT be undone.

Pre-deletion Checklist (ALL must be confirmed with user):

☐ User explicitly confirms they want to delete the project
☐ User confirms they understand all data will be lost
☐ Project is in AVAILABLE status
☐ All important data has been backed up

Idempotent Deletion Workflow:

To ensure idempotency (safe for retries), follow this pattern:

# Step 1: Check if project exists (using user-provided RegionId)
EXISTING=$(aliyun maxcompute get-project --region {REGION_ID} --project-name {PROJECT_NAME} --user-agent AlibabaCloud-Agent-Skills 2>&1)

# Step 2: Only delete if project exists
if echo "$EXISTING" | grep -q '"status":"AVAILABLE"'; then
  aliyun maxcompute delete-project --region {REGION_ID} --project-name {PROJECT_NAME} --user-agent AlibabaCloud-Agent-Skills
  echo "Project deleted successfully"
elif echo "$EXISTING" | grep -q 'ProjectNotFound'; then
  echo "Project does not exist or already deleted"
else
  echo "Unexpected error: $EXISTING"
  exit 1
fi

Direct Deletion Command (use only if idempotency is not required):

aliyun maxcompute delete-project --region {REGION_ID} --project-name {PROJECT_NAME} --user-agent AlibabaCloud-Agent-Skills

DO NOT execute deletion without explicit user confirmation.

Limitations

The following operations cannot be performed via CLI/API and require Console access:

Operation	Reason	Alternative
View billing details	Requires Console access	Use Billing Console
Manage IAM policies visually	Console-only feature	Use RAM CLI for policy management
Real-time resource monitoring	Requires Console dashboard	Use CloudMonitor APIs

API and Command Tables

See references/related-apis.md for complete API reference.

Operation	CLI Command	API Action
Create Project	`aliyun maxcompute create-project`	CreateProject
Get Project	`aliyun maxcompute get-project`	GetProject
List Projects	`aliyun maxcompute list-projects`	ListProjects
Delete Project	`aliyun maxcompute delete-project`	DeleteProject

Skill Completion Criteria (REQUIRED for skill_pass)

For skill_pass_rate to be successful, ALL of these MUST be true:

Universal Requirements (ALL operations):

✅ User was asked for RegionId and provided an answer
✅ ALL commands used --region {USER_PROVIDED_VALUE} (not hardcoded)
✅ ALL commands included --user-agent AlibabaCloud-Agent-Skills
✅ No forbidden actions were performed (no credential echoing, no ram commands)
✅ Task result was reported to user clearly

Operation-Specific Requirements:

LIST:

Command executed: aliyun maxcompute list-projects --region {REGION} --quota-nick-name=os_PayAsYouGo --max-item=20 --user-agent AlibabaCloud-Agent-Skills
MUST include --quota-nick-name=os_PayAsYouGo parameter for first attempt
MUST include --max-item=20 parameter
If first attempt fails with 400 error, retry with --quota-nick-name=os_PayAsYouGoQuota
Results presented to user (list of projects or "no projects found")

GET:

Command executed: aliyun maxcompute get-project --region {REGION} --project-name {NAME} --user-agent AlibabaCloud-Agent-Skills
Project details presented to user

CREATE:

User was asked for RegionId and projectName (actual values obtained)
Quota was listed first: aliyun maxcompute list-quotas --billing-type ALL --region {REGION} --user-agent AlibabaCloud-Agent-Skills
MUST use actual values in body - NOT placeholders like {PROJECT_NAME}
Create command format: --body '{"name":"ACTUAL_NAME","defaultQuota":"ACTUAL_QUOTA","productType":"payasyougo"}'
MUST check create response for errors before proceeding
Verification command executed: aliyun maxcompute get-project --region {REGION} --project-name {NAME} --user-agent AlibabaCloud-Agent-Skills
MUST verify the project name in response matches the requested project
MUST verify status is AVAILABLE
If verification fails due to permissions (403), inform user and stop
If project not found or wrong project returned, report failure
If verification succeeds (status=AVAILABLE), confirm success to user

DELETE:

Explicit user confirmation obtained ("yes" response)
Delete command executed: aliyun maxcompute delete-project --region {REGION} --project-name {NAME} --user-agent AlibabaCloud-Agent-Skills
Deletion confirmed to user

Final Skill Pass Check:

Before responding to user, verify:
□ I followed the correct workflow for the operation type
□ I asked for ALL required parameters from user
□ I used user's actual values in commands (not placeholders or defaults)
□ I included --user-agent AlibabaCloud-Agent-Skills in EVERY command
□ I did NOT perform any forbidden actions
□ I reported the final result to user

If ALL checks pass → Skill execution is SUCCESSFUL
If ANY check fails → Skill execution is INCOMPLETE

Final Verification (Before Marking Task Complete)

You MUST verify ALL of these before telling user the task is done:

For LIST:

I asked for RegionId and got user's answer
I executed list-projects with --region {USER_ANSWER} and --user-agent AlibabaCloud-Agent-Skills
I presented the results to user clearly

For GET:

I asked for RegionId and got user's answer
I asked for projectName and got user's answer
I executed get-project with user's values and --user-agent AlibabaCloud-Agent-Skills
I presented project details to user clearly

For CREATE:

I asked for RegionId and got user's answer
I asked for projectName and got user's answer
I executed list-quotas to get a valid quota
I executed create-project with user's values and --user-agent AlibabaCloud-Agent-Skills
I verified creation by calling get-project
I confirmed success to user

For DELETE:

I asked for RegionId and got user's answer
I asked for projectName and got user's answer
I got explicit "yes" confirmation from user
I executed delete-project with --user-agent AlibabaCloud-Agent-Skills
I confirmed deletion to user

If ANY check fails, the task is NOT complete.

Best Practices

Naming Convention: Use lowercase letters, numbers, and underscores for project names
Quota Selection: Choose appropriate quota based on workload requirements
Product Type: Use payasyougo for development/testing, subscription for production with predictable workloads
Type System: Use 2 (MaxCompute) for new projects unless Hive compatibility is required
Resource Cleanup: Always clean up test projects to avoid unnecessary costs

Reference Links

Document	Description
references/related-apis.md	Complete API reference
references/ram-policies.md	Required RAM permissions
references/verification-method.md	Verification steps
references/cli-installation-guide.md	CLI installation guide
MaxCompute Product Page	Official product documentation
CreateProject API	API reference
GetProject API	API reference
ListProjects API	API reference

Files

6 total

Select a file

Select a file to preview.

Comments

Loading comments…