ClawHub

Alibabacloud Dts Task Manager

v0.0.1

Create, view, and manage Alibaba Cloud DTS data migration/synchronization tasks interactively. Automatically triggered when the user mentions keywords such a...

0· 0·0 current·0 all-time
byalibabacloud-skills-team@sdk-team
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the actions in SKILL.md and reference files: it uses the aliyun CLI and DTS APIs to create, list, start/suspend, and delete DTS tasks. Required permissions described in references/ram-policies.md align with the operations the skill performs (CreateDtsInstance, ConfigureDtsJob, StartDtsJob, SuspendDtsJob, DeleteDtsJob, DescribeDtsJobs, DescribeDtsJobDetail). The skill does not request unrelated cloud providers, OS-level credentials, or extraneous tools.
Instruction Scope
The instructions are specific and confined to DTS workflows and related managed-instance listing APIs. They require reading user-supplied certificate files (PEM) and database credentials when configuring self-managed endpoints; these file reads are justified for establishing SSL/mTLS connections. The SKILL.md warns not to display secrets. Users should be aware that the agent will run CLI commands locally and may read certificate/private-key files the user points it to — this is expected for the skill but is sensitive.
Install Mechanism
Instruction-only skill with no install spec and no code files. The only external reference is guidance to obtain aliyun-cli (link to GitHub releases) if the CLI is missing; nothing in the skill automatically downloads or executes remote archives. Risk from installation is low because nothing is installed by the skill itself.
Credentials
The skill requests no environment variables, no credentials, and no config paths in metadata. The instructions do require the user to have configured Alibaba Cloud credentials (via aliyun configure) and to grant DTS-related RAM permissions for the account/role used — which is appropriate and proportional given the operations. The skill documents least-privilege RAM permissions. The only sensitive local access requested is optional certificate and DB credential input, which is necessary for self-managed endpoints.
Persistence & Privilege
always is false and the skill is user-invocable. There is no install-time persistence or modification of other skills or system-wide agent settings. The skill's recommended rollback behaviors (auto-release on failure) and double-confirmation on delete are operational details, not elevation of privilege.
Assessment
This skill appears to do what it says: manage Alibaba Cloud DTS via the aliyun CLI. Before installing/using it, ensure you: (1) run it with an agent profile that you trust to execute CLI commands locally; the agent will run aliyun commands and may read any certificate/private-key files you point it to — treat those files as sensitive; (2) grant only the RAM permissions needed (use least-privilege policies the references recommend or a narrowly scoped role), because the skill can create and delete DTS instances and tasks; (3) confirm that the aliyun CLI and your credentials are configured in the environment the agent will run in; and (4) require confirmations for destructive actions (the SKILL.md already prescribes double-confirmation for deletes, but verify the deployed skill enforces prompts). If you want lower blast radius, run management actions from a separate account/role with limited scope or test inside an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d8grtkwq5jxw71017s5hfrn845qrz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Alibaba Cloud DTS Task Manager

Overview

Manage Alibaba Cloud DTS (Data Transmission Service) tasks: create data migration/synchronization tasks, view task status/latency, stop/start/release tasks. All operations are guided interactively.

Parameter Parsing

Determine the operation mode based on user input, and read the corresponding references file for detailed workflow:

User IntentKeywordsActionReference File
Create migration taskempty / "create" / "new" / "migration"Interactive creationreferences/create-task.md
Create sync task"sync" / "synchronization"Interactive sync task creationreferences/create-task.md
View task list"list" / "view" / "ls"List all tasksreferences/list-tasks.md
View task status"status ID"View specified task detailsreferences/task-status.md
Stop task"stop ID" / "suspend ID" / "pause ID"Suspend specified taskreferences/suspend-task.md
Start/Resume task"start ID" / "resume ID"Start or resume taskreferences/start-task.md
Release task"release ID" / "delete ID" / "remove ID"Release (delete) taskreferences/delete-task.md
Environment setup"setup" / "configure" / "init"Check and configure environmentreferences/setup.md

When no parameters are provided, ask the user to choose the desired operation.

Step-by-Step Operation Workflows

Create Task (Migration / Sync)

Steps (full details in references/create-task.md):

  1. Prerequisites check (CLI installed, auth configured)
  2. Select Region + Task type (MIGRATION or SYNC)
  3. Configure source: engine type, access method, connection info, optional SSL
  4. Configure destination: engine type, access method, connection info, optional SSL
  5. Define migration objects: full database or specific tables, with optional name mapping
  6. Select migration types: schema / full data / incremental (default: all)
  7. Select instance class: micro / small / medium / large
  8. Review summary (passwords shown as ******) and confirm
  9. Execute: CreateDtsInstance -> ConfigureDtsJob -> StartDtsJob
  10. On failure at any step after instance creation, auto-release the instance

Example input: "Create a MySQL to Kafka sync task" Example output:

DTS task created successfully!
  Instance ID: <dts-instance-id>
  Job ID:      <job-id>
  Status:      Initializing

To check status:  aliyun dts DescribeDtsJobDetail --DtsJobId <job-id> --RegionId cn-hangzhou

List Tasks

Steps (full details in references/list-tasks.md):

  1. Prerequisites check
  2. Query tasks by each JobType (MIGRATION, SYNC, SUBSCRIBE) separately
  3. Display consolidated results in table format

Example input: "List my DTS tasks" Example output:

| Task ID        | Name                         | Type      | Status         | Source       | Destination  | Delay  |
|----------------|------------------------------|-----------|----------------|--------------|--------------|--------|
| <job-id-1>     | migration-mysql-mysql-0401   | MIGRATION | Migrating      | RDS MySQL    | RDS MySQL    | -      |
| <job-id-2>     | sync-mysql-kafka-0401        | SYNC      | Synchronizing  | RDS MySQL    | Kafka        | 128ms  |

View Task Status

Steps (full details in references/task-status.md):

  1. Prerequisites check
  2. Resolve ID: if only one ID given, look up via DescribeDtsJobs first
  3. Call DescribeDtsJobDetail
  4. Display status, progress, delay (convert ms to readable format)

Example input: "Check status of <job-id>" Example output:

Task: <job-id> (migration-mysql-mysql-0401)
Type:   MIGRATION
Status: Migrating
Progress:
  Schema migration:    Finished
  Full data migration: Finished (1,234,567 rows)
  Incremental:         Running, delay 236ms
Source:      RDS MySQL <source-instance-id> (cn-hangzhou)
Destination: RDS MySQL <dest-instance-id> (cn-hangzhou)

Stop / Start / Release Task

Stop (full details in references/suspend-task.md):

  1. Resolve ID, display task info, confirm, then call SuspendDtsJob

Start/Resume (full details in references/start-task.md):

  1. Resolve ID, then call StartDtsJob

Release/Delete (full details in references/delete-task.md):

  1. Resolve ID
  2. Pre-check: call DescribeDtsJobDetail to check current status
  3. If task is active (Synchronizing/Migrating/InitializingDataLoad), warn user and require explicit confirmation
  4. Double confirmation required before calling DeleteDtsJob

Environment Setup

Steps (full details in references/setup.md):

  1. Check aliyun CLI installation
  2. Check authentication configuration
  3. Test connectivity with a DescribeDtsJobs call

Edge Cases

  • User provides only one ID: Try it as DtsJobId first; look up DtsInstanceId via DescribeDtsJobs. If DtsInstanceID field is empty on the task, pass only DtsJobId.
  • API parameter case inconsistency: DescribeDtsJobDetail uses --DtsInstanceID (uppercase D), while DeleteDtsJob/ConfigureDtsJob use --DtsInstanceId (lowercase d). Always verify with aliyun dts <API> help before calling.
  • Ambiguous ID format: If the ID doesn't clearly match DtsJobId or DtsInstanceId pattern, fuzzy search via DescribeDtsJobs.
  • Delete active task: Never delete a running task without pre-check. Query status first; if Synchronizing/Migrating, prompt user to suspend first or explicitly confirm forced deletion.
  • Creation failure mid-flow: If CreateDtsInstance succeeds but ConfigureDtsJob or StartDtsJob fails, auto-release the created instance to avoid ongoing charges.
  • Timeout / retry: All API calls use --read-timeout 30 --connect-timeout 10. CreateDtsInstance includes --ClientToken (UUID) for idempotent retries.
  • Multi-region queries: When listing tasks, query MIGRATION/SYNC/SUBSCRIBE separately per region. The --JobType parameter defaults to MIGRATION; omitting it silently drops sync/subscribe tasks. Never use --Type (causes InvalidParameter).
  • MongoDB specifics: MongoDB endpoints require --SourceEndpointDatabaseName in ConfigureDtsJob.

Interaction Rules

Important: All information gathering must use interactive selections to avoid workflow interruption from free-text questions.

Selection-type information: Provide fixed options

Applicable to scenarios with fixed choices: task type, engine type, access method, instance selection, migration type, specification selection, etc.

Free-input information: Provide common defaults + custom input

Applicable to scenarios requiring user free input: IP address, port, username, password, database name, table name, etc. Provide common default values as options; users can select or enter custom values. Consolidate related input items into as few interaction rounds as possible.

Sensitive information: Never display in plaintext

CRITICAL: Passwords, AccessKey Secrets, certificates, and private keys must NEVER appear in plaintext anywhere in the conversation — this applies to ALL stages:

  • During collection: When the user provides a password or secret in a message (e.g., "password: MyPass123"), you MUST immediately treat it as sensitive. Do NOT quote, repeat, summarize, or reference the plaintext value in your response. Simply acknowledge receipt, e.g., "Source database password received." Then internally store it for later CLI execution. Even if the user typed the password in plain text, your reply must NEVER contain it.
  • When summarizing user input: If the user provides multiple fields including a password in one message (e.g., "username: dts, password: abc123"), your acknowledgment must mask the password: "Username: dts, Password: ******". Never reproduce the password portion of the user's message.
  • In confirmation summaries: Always show ****** for password fields.
  • In CLI commands displayed to the user: Show passwords as '******', never the actual value. The real value is only used internally when executing the command.
  • In error messages / logs: If an API error response contains sensitive fields, redact them before displaying.
  • In stored variables or references: Never repeat the plaintext value in follow-up messages.
  • In local files: Never write passwords or secrets to any local file (scripts, configs, logs, temp files, etc.). All sensitive values must only exist in memory during CLI execution.

Use single quotes around passwords in actual CLI execution to prevent shell expansion.

Prerequisites

Before executing any operation, the following checks must be performed:

1. Check aliyun CLI installation

which aliyun

If not installed, prompt the user:

2. Check authentication configuration

aliyun configure list

If not configured, guide the user through setup:

aliyun configure --mode AK

Requires: AccessKey ID, AccessKey Secret, Region Id

Important: Never display the user's AccessKey Secret in the conversation. Protect sensitive information.

3. Select Region

Let the user select a Region using interactive choices, not text input.

Supported Region list:

Mainland China:

Region IDName
cn-beijingChina North 2 (Beijing)
cn-hangzhouChina East 1 (Hangzhou)
cn-shanghaiChina East 2 (Shanghai)
cn-shenzhenChina South 1 (Shenzhen)
cn-guangzhouChina South 3 (Guangzhou)
cn-qingdaoChina North 1 (Qingdao)
cn-zhangjiakouChina North 3 (Zhangjiakou)
cn-huhehaoteChina North 5 (Hohhot)
cn-wulanchabuChina North 6 (Ulanqab)
cn-heyuanChina South 2 (Heyuan)
cn-chengduChina Southwest 1 (Chengdu)
cn-nanjingChina East 5 (Nanjing - Local Region)
cn-fuzhouChina East 6 (Fuzhou - Local Region)
cn-wuhan-lrChina Central 1 (Wuhan - Local Region)

Hong Kong (China) and International:

Region IDName
cn-hongkongChina (Hong Kong)
ap-southeast-1Singapore
ap-southeast-3Malaysia (Kuala Lumpur)
ap-southeast-5Indonesia (Jakarta)
ap-southeast-6Philippines (Manila)
ap-southeast-7Thailand (Bangkok)
ap-northeast-1Japan (Tokyo)
ap-northeast-2South Korea (Seoul)
eu-central-1Germany (Frankfurt)
eu-west-1UK (London)
us-east-1US (Virginia)
us-west-1US (Silicon Valley)
me-east-1UAE (Dubai)
na-south-1Mexico

Interactive pagination:

  • First screen (common): cn-beijing (China North 2 - Beijing), cn-hangzhou (China East 1 - Hangzhou), cn-shanghai (China East 2 - Shanghai), cn-shenzhen (China South 1 - Shenzhen)
  • After selecting Other: cn-guangzhou, cn-qingdao, cn-chengdu, cn-hongkong
  • Continue Other: Show remaining Regions or let user input Region ID directly

This step can be combined with Step 1 (task type) to reduce interaction rounds.

Error Handling

  • When API calls fail, parse error messages and provide actionable suggestions
  • If instance creation succeeds but subsequent steps fail, automatically release the created instance to avoid charges
  • Common errors:
    • InvalidAccessKeyId.NotFound - Invalid AccessKey, check configuration
    • Forbidden.RAM - Insufficient RAM permissions, requires AliyunDTSFullAccess policy
    • InvalidParameter - Parameter error, check input
    • UnSupportedTaskType - Unsupported link combination, suggest changing engine or access method
    • OperationDenied - Operation denied, task status may not allow this operation
    • Network timeout - Check network connection

CLI Call Standards

  • All aliyun CLI commands must include --user-agent AlibabaCloud-Agent-Skills parameter (except local configuration commands like aliyun configure)
  • All aliyun CLI API calls must set timeouts: --read-timeout 30 --connect-timeout 10
  • All aliyun CLI command responses are JSON; parse JSON to extract key information for display

Input Validation and Injection Prevention

CRITICAL: Before constructing any CLI command, ALL user-provided input parameters must be validated and sanitized to prevent command injection.

Validation rules by parameter type:

ParameterValidation Rule
IP addressMust match IPv4 pattern (^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$), each octet 0-255
PortInteger only, range 1-65535
Instance IDAlphanumeric, hyphens, and underscores only (^[a-zA-Z0-9_-]+$)
Database nameAlphanumeric, underscores, hyphens only (^[a-zA-Z0-9_-]+$)
Table nameAlphanumeric, underscores, hyphens, dots only (^[a-zA-Z0-9_.\-]+$)
UsernameAlphanumeric, underscores, hyphens, dots only (^[a-zA-Z0-9_.\-]+$)
Region IDMust match known Region ID list or pattern ^[a-z]{2}-[a-z]+-?\d*$
DtsJobNameAlphanumeric, hyphens, underscores, dots only, max 128 chars

Shell injection prevention:

  • All user-provided parameter values must be wrapped in single quotes ('...') when passed to CLI commands, not just passwords
  • Before quoting, reject any input containing single quotes ('), or escape them properly ('\'')
  • Reject any input containing shell metacharacters (; | & $ ` ( ) { } \n) for parameters where they are never valid (IP, port, instance ID, username, database name)
  • DbList JSON must be validated as syntactically correct JSON before passing to --DbList
  • If validation fails, display a clear error message and ask the user to re-enter the value; never pass unvalidated input to the shell

Notes

  • Never display passwords, certificates, keys, or other sensitive information in any output; show as ****** in confirmation summaries
  • Releasing a task is an irreversible operation; always require double confirmation
  • Creating tasks incurs charges (pay-as-you-go); remind users
  • If the ID format is ambiguous, attempt fuzzy search matching via DescribeDtsJobs
  • Use the Region from the configuration file by default, unless the user specifies a different Region
  • All information gathering must use interactive methods to avoid workflow interruption
  • Consolidate related input items into the same interaction round to minimize rounds

Files

9 total
Select a file
Select a file to preview.

Comments

Loading comments…