Alibabacloud Resourcecenter Search

v0.0.1

Alibaba Cloud Resource Center - Global Resource Inventory, Search & Statistics Skill. Provides cross-region, cross-product, and cross-account resource invent...

⭐ 0· 75·0 current·0 all-time

byalibabacloud-skills-team@sdk-team

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sdk-team/alibabacloud-resourcecenter-search.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Alibabacloud Resourcecenter Search" (sdk-team/alibabacloud-resourcecenter-search) from ClawHub.
Skill page: https://clawhub.ai/sdk-team/alibabacloud-resourcecenter-search
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install alibabacloud-resourcecenter-search

ClawHub CLI

Package manager switcher

npx clawhub@latest install alibabacloud-resourcecenter-search

Security Scan

Capability signals

Requires walletRequires OAuth token

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The skill's purpose is to run Alibaba Cloud Resource Center CLI operations, but the registry metadata lists no required binaries, no primary credential, and no required env vars or config paths. In reality SKILL.md requires the 'aliyun' CLI (>=3.3.1) and an Alibaba Cloud credential/profile (stored in ~/.aliyun/config.json or via environment variables). The metadata omission is an incoherence: a resource-center skill legitimately needs the CLI and credentials.

✓

Instruction Scope

SKILL.md instructions stay on-topic: they guide the agent to use aliyun resourcecenter commands, require explicit user confirmation for parameters, and forbid printing or soliciting AK/SK in conversation. The skill includes a small helper script that calls the aliyun CLI. There are no instructions that read unrelated system secrets or exfiltrate data to external endpoints. The only scope concern is the strong requirement to run `aliyun configure set --auto-plugin-install true` and to have users configure credentials outside the session — both reasonable but should be made explicit in metadata.

✓

Install Mechanism

No install spec is provided (instruction-only), so nothing is written to disk by the platform. The included README references official Alibaba Cloud download URLs (aliyuncli.alicdn.com) for manual installation, which are expected for this purpose. No high-risk download/install steps are embedded in the skill package itself.

Credentials

The skill requires Alibaba Cloud credentials and potentially high-scope RAM permissions for cross-account searches (per its RAM policy docs). However, the declared required env vars and primary credential are empty in the registry metadata. This mismatch could mislead users into installing the skill without realizing it needs sensitive credentials or management-account privileges. The skill's documentation correctly warns not to echo AK/SK and to configure credentials outside the conversation, but the package should have explicitly declared the credential requirements.

ℹ

Persistence & Privilege

The skill does not request 'always: true' and has no install-time persistence. It does instruct the user to run `aliyun configure set --auto-plugin-install true`, which modifies the user's CLI configuration (auto-plugin install). That side-effect is reasonable for functionality but should be highlighted — it changes local CLI behavior and may add plugins later.

What to consider before installing

This skill is coherent with its stated purpose (running Alibaba Cloud Resource Center CLI calls), but the package metadata omits key requirements. Before installing or using it: 1) ensure you have the aliyun CLI >= 3.3.1 installed and understand that the skill will call it (the included Python script invokes the CLI). 2) Understand that you must supply Alibaba Cloud credentials (AK/SK, STS token, RAM role, or ECS role) via your local CLI config or environment variables; do not paste secrets into the chat. 3) Only use a least-privilege RAM user or read-only policy unless you intentionally need service enable/disable permissions — cross-account searches require management-account privileges. 4) Be aware the skill asks you to enable automatic plugin installation in your CLI config, which changes local behavior. 5) If you need higher assurance, ask the publisher to update the registry metadata to declare required binaries and credentials, or run the commands in an isolated environment (temporary account or sandbox) first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9798t1fr7eceq4tmbh52t3q6584dt0s

75downloads

0stars

1versions

Updated 3w ago

v0.0.1

MIT-0

1. Prerequisites

Pre-check: Aliyun CLI >= 3.3.1 required Run aliyun version to verify >= 3.3.1. If not installed or version too low, see references/cli-installation-guide.md for installation instructions. Then [MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.

Pre-check: Alibaba Cloud Credentials Required

Security Rules:

NEVER read, echo, or print AK/SK values (e.g., echo $ALIBABA_CLOUD_ACCESS_KEY_ID is FORBIDDEN)

NEVER ask the user to input AK/SK directly in the conversation or command line

NEVER use aliyun configure set with literal credential values

ONLY use aliyun configure list to check credential status
aliyun configure list
Check the output for a valid profile (AK, STS, or OAuth identity).

If no valid profile exists, STOP here.

Obtain credentials from Alibaba Cloud Console

Configure credentials outside of this session (via aliyun configure in terminal or environment variables in shell profile)

Return and re-run after aliyun configure list shows a valid profile

2. Parameter Confirmation

IMPORTANT: Parameter Confirmation — Before executing any command or API call, ALL user-customizable parameters (e.g., RegionId, instance names, CIDR blocks, passwords, domain names, resource specifications, etc.) MUST be confirmed with the user. Do NOT assume and use default values without explicit user approval.

Parameter	Required/Optional	Description	Default Value
`Scope`	Required (cross-account)	Cross-account search scope: Resource Directory ID, Root Folder ID, Folder ID, or Member ID	None
`ResourceType`	Optional	Resource type (e.g., `ACS::ECS::Instance`)	None (all types)
`RegionId`	Optional	Resource Region ID (e.g., `cn-hangzhou`)	None (all regions)
`ResourceId`	Optional	Resource ID	None
`ResourceName`	Optional	Resource name	None
`VpcId`	Optional	VPC ID (e.g., `vpc-xxx`)	None
`VSwitchId`	Optional	VSwitch (e.g., `vsw-xxx`)	None
`IpAddress`	Optional	IP address	None
`GroupByKey`	Optional	Statistics grouping dimension: `ResourceType`, `RegionId`, `ResourceGroupId`	None
`MaxResults`	Optional	Page size for paginated APIs.	20

3. RAM Policy

See references/ram-policies.md for full permission lists.

Recommended system policies:

Read-only: AliyunResourceCenterReadOnlyAccess
Full access: AliyunResourceCenterFullAccess

Opening Resource Center will auto-create the service-linked role AliyunServiceRoleForResourceMetaCenter.

Resource Visibility Scope

RAM policies (defined in ram-policies.md) control whether a user can call a Resource Center API. However, for search APIs (SearchResources, GetResourceCounts, GetResourceConfiguration, SearchMultiAccountResources, GetMultiAccountResourceCounts, GetMultiAccountResourceConfiguration), the scope of resources visible in results is determined by each cloud product's own permissions:

Single Account

Cloud resource read permissions: A RAM user can only see resources in Resource Center for which they have read-only access on the corresponding cloud product. For example, granting ReadOnlyAccess lets the user see all resources they have access to; granting only AliyunVPCReadOnlyAccess limits visibility to VPC resources.
Resource group scoped permissions: If resources are organized by resource groups, you can grant a RAM user read access scoped to a specific resource group. The user will only see resources within that group, achieving resource isolation.

Cross-Account

Grant the system policy AliyunResourceCenterFullAccess to the RAM user of the Resource Directory management account to enable cross-account resource search.

4. Core Workflow

Step 1: Identify APIs Based on User Requirements

Determine which APIs are needed based on the user's specific scenario. Refer to the scenario cards below.

Step 2: [MUST] Read API Documentation Before Every CLI Call

CRITICAL WARNING: DO NOT execute any aliyun resourcecenter command without first reading the exact parameter format in references/related-apis.md.

Failure Pattern: Guessing parameters like --filter format will cause errors. The correct JSON structure MUST be copied from the documentation.

Mandatory Action: Open and read the specific API section in references/related-apis.md BEFORE constructing any CLI command.

Scenario Cards

Scenario 1: Service Activation

Requirement	Account Type	API	Description
Check if enabled	Single-account	`get-resource-center-service-status`	Returns service status
Enable service	Single-account	`enable-resource-center`	Required for first-time use
Check cross-account status	Resource Directory	`get-multi-account-resource-center-service-status`	Multi-account scenario
Enable cross-account service	Resource Directory	`enable-multi-account-resource-center`	Requires management account or delegated admin

Scenario 2: ResourceType Discovery

Requirement	Account Type	Script	Description
Find resource type codes by keyword	Single-account	`scripts/query-resource-types.py`	Search across ResourceType, ProductName, and ResourceTypeName fields

Decision Logic:

When you needs to filter by resource type but doesn't know the exact code -> Use this script first
After discovering the correct ResourceType code -> Use it in search or count API with --filter parameter

Scenario 3: Resource Search

Requirement	Account Scope	API	Key Parameters
Search resources by criteria	Current account	`search-resources`	`--filter`
Cross-account resource search	Resource Directory	`search-multi-account-resources`	`--scope` + `--filter`
Search including deleted resources	Current account	`search-resources`	`--include-deleted-resources=true`

Scenario 4: View Resource Details

Requirement	Account Scope	API	Use Case
Get single resource configuration	Current account	`get-resource-configuration`	Get complete configuration details
Batch get multiple resource configurations	Current account	`batch-get-resource-configurations`	Get multiple resources at once
Get resource configuration from another account	Resource Directory	`get-multi-account-resource-configuration`	Cross-account view

Scenario 5: Statistics and Analysis

Requirement	Account Scope	API	Grouping Dimensions
Count resources	Current account	`get-resource-counts`	`ResourceType`, `RegionId`, `ResourceGroupId`
Cross-account statistics	Resource Directory	`get-multi-account-resource-counts`	`ResourceType`, `RegionId`, `ResourceGroupId`

Scenario 6: Tag Discovery

Requirement	Account Scope	API	Description
List all tag keys	Current account	`list-tag-keys`	Browse tag catalog
List values for a specific tag key	Current account	`list-tag-values`	e.g., list all values for `env`
Cross-account tag keys	Resource Directory	`list-multi-account-tag-keys`	Multi-account scenario
Cross-account tag values	Resource Directory	`list-multi-account-tag-values`	Multi-account scenario

5. Success Verification

See references/verification-method.md for detailed verification steps and commands for each workflow step.

6. Precautions

[MUST] High-Risk Operation Confirmation — Before executing disable-resource-center or disable-multi-account-resource-center:

MUST explicitly inform the user of the impacts:

Disable Impact

After disabling Resource Center, resource data will no longer be viewable in Resource Center. Specifically:

For a single Alibaba Cloud account, after disabling Resource Center, resource data in the current account will no longer be viewable.

For the management account of a Resource Directory and the delegated administrator account of Resource Center, disabling Resource Center will also disable the cross-account resource search feature. Resource data in the current account and members of the Resource Directory will no longer be viewable. Additionally, members will not be able to view resource data in their own accounts.

After disabling Resource Center, the resource management module on the console homepage, Config Audit service, and other related scenarios will also be unable to view resource data.

Disable Restrictions

If the management account of a Resource Directory or the delegated administrator account of Resource Center has cross-account resource features enabled by another account, Resource Center cannot be disabled.

If there are cloud products or features that have strong dependencies on Resource Center, such as Config Audit and associated resource transfer, you must first disable those cloud products or features before you can disable Resource Center.

MUST obtain explicit user confirmation (e.g., user types "confirm disable" or similar clear affirmation)

DO NOT proceed without user's explicit acknowledgment

Disable Resource Center

Warning: Disabling will remove all resource data and affect dependent services (e.g., Config Audit). Must first disable cross-account if enabled.

aliyun resourcecenter disable-resource-center \
  --user-agent AlibabaCloud-Agent-Skills

Disable Cross-Account Resource Center

Must be done before disabling single-account resource center (if cross-account is enabled). Requires management account or delegated admin.

aliyun resourcecenter disable-multi-account-resource-center \
  --user-agent AlibabaCloud-Agent-Skills

7. Best Practices

--user-agent on every Resource Center CLI call — All aliyun resourcecenter examples in this skill include --user-agent AlibabaCloud-Agent-Skills. When executing commands for this skill, always pass the same flag so usage is consistent with verification, maintainers’ expectations, and any automated checks.
Use filters for targeted search — Combining ResourceType, RegionId, and Tag filters improves search efficiency
Use GroupByKey for quick statistics — Get resource distribution by type, region, or resource group without iterating
Cross-account scope selection — Use the most specific scope (member ID > folder ID > root folder ID > directory ID) to narrow search results
Wait after enabling — Resource Center needs a few minutes to build data after activation; large accounts may take longer
Prefer read-only policies — For daily search and statistics operations, use AliyunResourceCenterReadOnlyAccess for security
ResourceType discovery — When the exact resource type code is unknown, use the helper script documented in Section 8 (run from the skill root directory).
Tag discovery vs tag-filtered search — For “what tag keys/values exist”, use list-tag-keys / list-tag-values (and multi-account variants with --scope). Reserve search-resources for finding resources that match tag conditions.

8. Available scripts

Script	Purpose	Usage
`scripts/query-resource-types.py`	Queries resource types by keyword from Alibaba Cloud Resource Center; stdout is JSON (`resourceTypes`, `count`, `keyword`, `language`; failures use `success: false` and `error`)	`python3 scripts/query-resource-types.py <keyword> [--language LANGUAGE]`

9. Troubleshooting

When a Resource Center API call or aliyun resourcecenter command fails, read the response’s HTTP status, Code (error code), and Message, then match them against the catalog.

Full error list: references/error-codes.md

10. Reference Links

Reference	Description
references/related-apis.md	All CLI commands list
references/ram-policies.md	RAM permission policies
references/verification-method.md	Verification steps for each workflow
references/error-codes.md	Deduplicated Resource Center API error code catalog (HTTP, Code, Message) and lookup hints
references/cli-installation-guide.md	Aliyun CLI installation guide
references/acceptance-criteria.md	For maintainers/CI only: Skill testing acceptance criteria, correct CLI command patterns, parameter validation rules. Note: This document is intended for human maintainers and automated testing, not required reading for end users.

Comments

Loading comments...