Install
openclaw skills install @sdk-team/alibabacloud-error-troubleshootAlibaba Cloud OpenAPI troubleshooting skill. Use this skill when the user needs to diagnose API call failures
using Request ID, error codes, or error messages — via Aliyun CLI openapiexplorer plugin commands.
Triggers: "RequestId 排查", "Request ID 诊断", "错误码解决方案", "API 调用失败", "get-request-log",
"get-own-request-log", "get-error-code-solutions", "OpenAPI 故障排查", "API troubleshoot",
"diagnose OpenAPI", "diagnose OpenAPI error codes", "diagnose OpenAPI error messages",
"Diagnose OpenAPI API call failures using Request ID".
openclaw skills install @sdk-team/alibabacloud-error-troubleshootGuide users to diagnose Alibaba Cloud OpenAPI call failures using the OpenAPI Explorer troubleshoot APIs exposed as Aliyun CLI commands. These CLI commands call the same backend as the OpenAPI Diagnostic Portal.
Run aliyun version to verify version >= 3.4.0. If not installed or outdated, follow references/cli-installation-guide.md.
This skill depends on the aliyun-cli-openapiexplorer plugin, which provides the three required CLI commands:
openapiexplorer get-own-request-log, openapiexplorer get-request-log, openapiexplorer get-error-code-solutions.
Plugin name is aliyun-cli-openapiexplorer (NOT openapiexplorer). The install command uses --names:
aliyun configure set --auto-plugin-install true
aliyun plugin install --names aliyun-cli-openapiexplorer
aliyun plugin update
Verify it is available before running any troubleshoot command:
aliyun plugin list | grep openapiexplorer
aliyun openapiexplorer get-own-request-log --help
Command format rule (mandatory). Every troubleshoot command in this skill MUST use the exact
kebab-case form under the openapiexplorer plugin:
aliyun openapiexplorer get-own-request-log ...aliyun openapiexplorer get-request-log ...aliyun openapiexplorer get-error-code-solutions ...PascalCase subcommands are strictly forbidden. Never invent or attempt any
aliyun <product> <PascalCaseApi> style call as a substitute. If a troubleshoot command returns
not a valid api, the openapiexplorer plugin is missing — re-run the install command above
instead of switching to ActionTrail, web search, or re-issuing the original failing API. These
three commands live only under the openapiexplorer plugin and have no equivalent in core
product subcommands.
Run aliyun configure list to verify credentials are configured.
If no valid profile is shown, STOP and ask the user to run aliyun configure outside this session.
Security rules:
aliyun configure list to check credential statusauthenticationInfo.ak, tokens, etc.) when presenting resultsUpon loading this skill, generate a random session ID once for the entire session:
a1b2c3d4e5f6789012345678901234ab){session-id} in all commands belowRule: Every aliyun CLI command that calls a cloud API MUST include the --user-agent flag.
Local utility commands (e.g. configure, plugin, version) do not support this flag
and should be excluded.
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-error-troubleshoot/{session-id}
Use this skill when the user wants to:
| API | CLI Command | Purpose |
|---|---|---|
| GetOwnRequestLog | get-own-request-log | Query logs for API calls made by the current account |
| GetRequestLog | get-request-log | Query logs for Request IDs under the same parent account — main account and all its sub-accounts |
| GetErrorCodeSolutions | get-error-code-solutions | Fetch diagnostic solutions for an error code |
See references/ram-policies.md for minimum RAM policy JSON.
Permission failure handling: If a call returns
UnauthorizedorAccessDenied, stop and surface references/ram-policies.md. Do not retry with a different account without explicit user confirmation.
Follow this decision tree. Full details: references/troubleshooting-workflow.md.
User has Request ID?
├── YES → Step 1: Query request log
│ ├── Default: get-own-request-log (current account only)
│ └── Request ID from sibling sub-account or main account: get-request-log
│ ├── Step 1 returns NotFound.RequestLog (404)?
│ │ └── TERMINATE: do NOT call get-error-code-solutions with `NotFound.RequestLog`.
│ │ Report log-unavailable cause (expired / wrong scope / no permission),
│ │ ask user for a fresh Request ID or the original error code, end the run.
│ ├── Step 2: Extract errorCode, errorMessage, product from logInfo.basicInfo
│ └── Step 3: If errorCode present → get-error-code-solutions
│ → Step 4: Summarize root cause + solutions + next steps
└── NO, only error code/message
└── Step 3 directly: get-error-code-solutions (provide product if known)
⛔ Hard stop on log-NotFound:
NotFound.RequestLogis the troubleshoot-API's own status for "no log available", not a business error code of the user's failed call. Feeding it toget-error-code-solutionswill return irrelevant or empty results and is strictly forbidden. Always end the workflow at the NotFound branch and surface a user-facing recovery message instead.
Request ID format: UUID, uppercase (e.g. BE7C768F-946F-5B46-80D4-F22FCFAF67C0).
Choose the right command:
| Command | Scope | When to use |
|---|---|---|
get-own-request-log | Current account's own API calls only | Default — user troubleshooting their own failed API call |
get-request-log | Same parent account only — main account + all sub-accounts under it | Sub-account querying main account or sibling sub-account Request IDs; cannot access unrelated accounts |
Prefer get-own-request-log first — this mirrors the OpenAPI Diagnostic Portal behavior (GetOwnRequestLog is tried before GetRequestLog).
# Default: current account
aliyun openapiexplorer get-own-request-log \
--log-request-id <REQUEST_ID> \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-error-troubleshoot/{session-id}
# Same parent account — main account or sibling sub-accounts
aliyun openapiexplorer get-request-log \
--log-request-id <REQUEST_ID> \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-error-troubleshoot/{session-id}
Extract key fields from logInfo (use --cli-query to project):
aliyun openapiexplorer get-own-request-log \
--log-request-id <REQUEST_ID> \
--cli-query 'logInfo.basicInfo.{product:product,api:api,errorCode:errorCode,errorMessage:errorMessage,httpStatusCode:httpStatusCode,regionId:regionId,logRequestId:logRequestId}' \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-error-troubleshoot/{session-id}
| Field path | Meaning |
|---|---|
logInfo.basicInfo.product | Product code (needed for solution lookup) |
logInfo.basicInfo.api | API action name |
logInfo.basicInfo.errorCode | Error code from the failed call |
logInfo.basicInfo.errorMessage | Error message |
logInfo.basicInfo.httpStatusCode | HTTP status (200 with business error vs 4xx/5xx) |
logInfo.basicInfo.regionId | Region |
logInfo.callerInfo | Caller account, IP, caller type (main/sub/STS) |
logInfo.parameters | Request parameters sent to the API |
logInfo.responses.responseBody | Raw response body (may contain nested error details) |
Before fetching solutions, interpret the log:
NotFound.RequestLog (HTTP 404 from the lookup itself) — log is unavailable. STOP HERE. Do NOT proceed to Step 3. See "Hard stop on log-NotFound" above and "Troubleshooting CLI Errors → 6" below.basicInfo.throttlingResult (e.g. FC.PASS vs throttle codes)AccessDenied, NoPermission, Forbidden.RAM in errorCode or response body; check callerInfo.callerType and whether STS role is involvedlogInfo.parameters against API documentation linked in basicInfo.apiDocMaps to troubleshoot-server sdkAgentService.getErrorCodeSolutions → OpenAPI GetErrorCodeSolutions.
⛔ Precondition —
errorCodeMUST come fromlogInfo.basicInfo.errorCodeof a successfully retrieved log (or from the user's original error report). Never pass the lookup's own meta-status codes (NotFound.RequestLog,Unauthorized,AccessDeniedproduced by the get-*-request-log call itself) as--error-code. If Step 1 returned NotFound, the workflow has already terminated — do not enter Step 3.
aliyun openapiexplorer get-error-code-solutions \
--error-code <ERROR_CODE> \
--product <PRODUCT_CODE> \
--error-message "<ERROR_MESSAGE>" \
--accept-language zh-CN \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-error-troubleshoot/{session-id}
| Parameter | Required | Notes |
|---|---|---|
--error-code | Yes | From log basicInfo.errorCode or user's error report |
--product | Recommended | From log basicInfo.product; narrows solution matches |
--error-message | Optional | Improves match quality when multiple solutions exist for the same code |
--accept-language | Optional | zh-CN (default) or en-US; empty if no English content |
Product code sources:
logInfo.basicInfo.product from Step 1 (preferred)https://api.aliyun.com/product/<ProductCode> → ProductCode is the segment after /product/Present each solution's title/content clearly. An empty solutions array means no curated solution exists — fall back to log analysis and API documentation.
Always include:
See references/api-reference.md for full parameter lists and examples.
| CLI | API | Description |
|---|---|---|
aliyun openapiexplorer get-own-request-log | GetOwnRequestLog | Current account's request log |
aliyun openapiexplorer get-request-log | GetRequestLog | Request log under the same parent account |
aliyun openapiexplorer get-error-code-solutions | GetErrorCodeSolutions | Error code diagnostic solutions |
get-own-request-log unless the Request ID belongs to the main account or another sub-account under the same parent account--product to get-error-code-solutions when available from the logNotFound.RequestLog, the log may have expired (typically retained ~3 days) or the caller lacks permissionhttps://api.aliyun.com/troubleshoot?q=<ErrorCode>&product=<Product>Walk through in order when the user reports errors:
aliyun version >= 3.4.0?aliyun plugin list | grep openapiexplorer?aliyun configure list shows valid profile?get-own-request-log for main account or sibling sub-account Request ID? Retry with get-request-log (same parent account only). If still 404, the Request ID is from an unrelated account, expired, or invalidget-error-code-solutions with --error-code NotFound.RequestLog (or any of the lookup's own meta-status codes like Unauthorized / AccessDenied produced by the get-*-request-log call). They are status codes of the troubleshoot API itself, not of the user's failing call — solution lookup will return irrelevant or empty results.GetRequestLog permission), then ask for either (a) a fresh Request ID generated by a recent failing call from the current account, or (b) the original error code from the user's application logs — and end this turn.Full playbook: references/troubleshooting-workflow.md.
| Document | Description |
|---|---|
| references/cli-installation-guide.md | CLI >= 3.4.0 install, plugin setup, credentials |
| references/api-reference.md | Full CLI command reference for all three APIs |
| references/troubleshooting-workflow.md | End-to-end diagnostic playbook with examples |
| references/ram-policies.md | Minimum RAM policies for troubleshoot APIs |