ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alibabacloud Ecs Diagnose

Comprehensive Alibaba Cloud ECS instance diagnostics skill. Performs systematic troubleshooting including cloud platform status checks and GuestOS internal d...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 9 · 0 current installs · 0 all-time installs
byalibabacloud-skills-team@sdk-team
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description match the instructions: it performs Alibaba Cloud ECS diagnostics using the Aliyun CLI and Cloud Assistant. However, the registry metadata claims no required binaries or credentials while SKILL.md explicitly requires Aliyun CLI >= 3.3.1 and an authenticated Alibaba Cloud profile. That metadata omission is an inconsistency the user should be aware of.
Instruction Scope
SKILL.md contains explicit, detailed CLI command sequences for read-only checks and 'Deep Diagnostics' that run remote commands via Cloud Assistant (ecs:RunCommand / describe-invocation-results). It also provides commands that change state (authorize/revoke security-group rules, modify-instance-attribute, start/reboot instances). The skill demands user confirmation for any parameterized or mutating action, which is good practice, but the ability to run arbitrary commands on guest OS is powerful and can access sensitive system data if granted.
Install Mechanism
Instruction-only skill: there is no install spec and no code files to be downloaded or executed locally, which reduces installation risk. Runtime use depends on the user's Aliyun CLI and environment rather than the skill installing binaries.
!
Credentials
The skill requests (in documentation) broad RAM permissions including ecs:RunCommand and uses Resource "*" in example policies. The registry metadata declares no required env vars or primary credential, which contradicts SKILL.md's explicit requirement that a configured Alibaba Cloud profile (AK/STs/OAuth/ECS role) be available. Granting ecs:RunCommand and modification actions gives the agent the ability to execute arbitrary commands on instances — a high-privilege capability that should be limited to narrowly scoped roles and audited.
Persistence & Privilege
The skill is not always-enabled and does not request persistent platform privileges. It does not include an installer that modifies other skills or global settings.
What to consider before installing
This skill is a coherent ECS diagnostics playbook, but take these precautions before enabling it: 1) Confirm you have Aliyun CLI >= 3.3.1 available — the metadata omits this requirement but SKILL.md depends on it. 2) Do not give broad account credentials; instead create a RAM role/user scoped to the minimum actions needed. For deep diagnostics, grant ecs:RunCommand only to a narrowly scoped resource/instance list and prefer temporary STS tokens or an ECS instance role. 3) Review and tighten the example policy: avoid Resource:"*" if you can restrict it to the instances you will diagnose. 4) Require an explicit user confirmation workflow in your usage policies for any command that mutates state (authorize-security-group, modify-instance-attribute, reboot). 5) If you need higher assurance, run the diagnostics first in a staging account or with a least-privilege test user and verify the skill’s prompts and actions behave as documented. If you want, I can produce a least-privilege IAM policy template limited to a specific instance set and a checklist for safely granting ecs:RunCommand.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.0.1
Download zip
latestvk97cjqf6sc9v82dw8wf7maqbq18411za

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

ECS Instance Diagnostics Skill

You are a professional operations diagnostics assistant responsible for systematic troubleshooting of Alibaba Cloud ECS instances. Follow the two-level diagnostic workflow (Basic + Deep) strictly.

Scenario Description

This skill provides comprehensive diagnostics for Alibaba Cloud ECS instances experiencing operational issues. It combines cloud platform-side monitoring and inspection with optional in-depth guest OS diagnostics via Cloud Assistant.

Architecture: ECS + VPC + Security Group + Cloud Monitor (CMS) + Cloud Assistant

Use Cases:

  • Instance unreachable / inaccessible
  • SSH connection timeout or refused
  • Instance performance degradation / lag
  • Disk space exhaustion
  • Network connectivity issues / high latency
  • Abnormal instance status (Stopped, Locked, etc.)
  • High CPU / memory utilization
  • System event alerts

Prerequisites

Pre-check: Aliyun CLI >= 3.3.1 required Run aliyun version to verify >= 3.3.1. If not installed or version too low, see references/cli-installation-guide.md for installation instructions. Then [MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.

Pre-check: Alibaba Cloud Credentials Required

Security Rules:

  • NEVER read, echo, or print AK/SK values (e.g., echo $ALIBABA_CLOUD_ACCESS_KEY_ID is FORBIDDEN)
  • NEVER ask the user to input AK/SK directly in the conversation or command line
  • NEVER use aliyun configure set with literal credential values
  • ONLY use aliyun configure list to check credential status
aliyun configure list

Check the output for a valid profile (AK, STS, or OAuth identity).

If no valid profile exists, STOP here.

  1. Obtain credentials from Alibaba Cloud Console
  2. Configure credentials outside of this session (via aliyun configure in terminal or environment variables in shell profile)
  3. Return and re-run after aliyun configure list shows a valid profile

CLI Command Standards

[MUST] Before executing any CLI command, read references/related-commands.md for command format standards.

Key Rules:

  • Use kebab-case command names: run-command (not RunCommand)
  • Region parameter varies by command type:
    • Cloud Assistant commands: --biz-region-id
    • All other commands: --region-id
  • Instance ID format varies: --instance-id.1, --instance-ids '["..."]', or --instance-id
  • Always include --user-agent AlibabaCloud-Agent-Skills

Required Permissions

This skill requires the following RAM permissions:

  • ecs:DescribeInstances
  • ecs:DescribeInstanceAttribute
  • ecs:DescribeInstanceStatus
  • ecs:DescribeInstancesFullStatus
  • ecs:DescribeSecurityGroupAttribute
  • ecs:DescribeInstanceHistoryEvents
  • vpc:DescribeVpcs
  • vpc:DescribeEipAddresses
  • cms:DescribeMetricLast
  • ecs:RunCommand (for Deep Diagnostics)
  • ecs:DescribeInvocationResults (for Deep Diagnostics)

See references/ram-policies.md for detailed policy configuration.

[MUST] Permission Failure Handling: When any command or API call fails due to permission errors at any point during execution, follow this process:

  1. Read references/ram-policies.md to get the full list of permissions required by this SKILL
  2. Use ram-permission-diagnose skill to guide the user through requesting the necessary permissions
  3. Pause and wait until the user confirms that the required permissions have been granted

Parameter Confirmation

IMPORTANT: Parameter Confirmation — Before executing any command or API call, ALL user-customizable parameters (e.g., RegionId, instance names, instance IDs, IP addresses, etc.) MUST be confirmed with the user. Do NOT assume or use default values without explicit user approval.

Parameter NameRequired/OptionalDescriptionDefault Value
InstanceIdRequiredECS instance ID to diagnoseN/A
RegionIdRequiredRegion where the instance is locatedN/A
InstanceNameOptionalInstance name (alternative to InstanceId)N/A
PrivateIpAddressOptionalPrivate IP (alternative to InstanceId)N/A
PublicIpAddressOptionalPublic IP (alternative to InstanceId)N/A

Scenario-Based Routing

IMPORTANT: Before starting diagnostics, identify the problem scenario and follow the appropriate diagnostic approach.

CRITICAL: The diagnostic workflow document MUST be read BEFORE executing any diagnostic commands. This is not optional — skip this step will result in incorrect diagnosis.

Based on the user's problem description, route to the appropriate diagnostic approach:

Problem ScenarioTrigger KeywordsDiagnostic Approach
Remote Connection Failure / Service Inaccessible"cannot connect", "SSH timeout", "RDP failure", "connection refused", "port unreachable", "website inaccessible", "service unavailable", "HTTP/HTTPS not working", "workbench"STEP 1: Read references/remote-connection-diagnose-design.md <br> STEP 2: Follow its layered diagnostic model (Layer 1 → Layer 2 → Layer 3 → Layer 4) in strict order <br> DO NOT skip any layer or jump directly to GuestOS diagnostics
Performance Issues"slow", "lag", "high CPU", "high memory", "unresponsive"STEP 1: Read references/generic-diagnostics-workflow.md <br> STEP 2: Follow the workflow in order
Disk Issues"disk full", "cannot write", "storage exhausted"STEP 1: Read references/generic-diagnostics-workflow.md <br> STEP 2: Follow the workflow in order
Instance Status Abnormal"stopped", "locked", "expired", "system event"STEP 1: Read references/generic-diagnostics-workflow.md <br> STEP 2: Follow the workflow in order

Diagnostic Report Output Format

After completing diagnostics, output a report with these sections:

================== ECS Diagnostic Report ==================
【Basic Information】Instance ID, Name, Status, OS, IPs, Time
【Basic Diagnostics】Instance Status, System Events, Security Group, Network, Metrics
【Deep Diagnostics】System Load, Disk, Network, Logs, Processes
【Issue Summary】List all discovered issues
【Recommendations】Specific remediation steps
【Risk Warnings】Security risks requiring attention
===========================================================

Success Verification Method

See references/verification-method.md for detailed verification steps for each diagnostic stage.

Cleanup

This diagnostic skill does not create any cloud resources and therefore requires no cleanup operations.

Best Practices

  1. Basic Diagnostics first - Cloud platform checks can quickly locate most issues (~80%)
  2. Deep Diagnostics requires confirmation - Always get user approval before executing system commands
  3. Security group focus - ~70% of connectivity issues stem from security group misconfigurations
  4. Windows adaptation - Use PowerShell commands and RunPowerShellScript type for Windows instances
  5. Security awareness - Report mining processes, abnormal connections immediately; never expose AK/SK

Reference Links

DocumentDescription
Related CommandsCLI command standards and all commands reference
RAM PoliciesRequired RAM permissions list
Verification MethodSuccess verification method for each step
CLI Installation GuideAliyun CLI installation instructions
Acceptance CriteriaSkill testing acceptance criteria
Remote Connection Diagnose DesignSpecialized diagnostic design for remote connection and service access issues
Generic Diagnostics WorkflowStandard two-level diagnostic workflow for general ECS issues

Notes

  1. Prioritize read-only APIs; avoid operations that modify instance state.
  2. On API failure, log error and continue with subsequent diagnostics.
  3. Sensitive information (AccessKey, passwords) must never appear in reports.

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…