Description

Alibaba Cloud Security Center (SAS) CWPP host security alert handling skill. Used for querying, analyzing, and handling security alerts from Cloud Security C...

README (SKILL.md)

Cloud Security Center CWPP Alert Handling Skill

Name: Alibabacloud Sas Alert Handler
Author: sdk-team

Scenario Description

This skill helps users query and handle CWPP host security alerts from Alibaba Cloud Security Center (SAS/Aegis).

Core Capabilities:

Query security alert list
Analyze alert details and recommend handling methods
Execute alert handling operations (ignore, whitelist, block, quarantine, etc.)
Query handling status and summarize results

Architecture: Alibaba Cloud Security Center (SAS) + RAM Permissions + CLI Tools

Installation Requirements

Pre-check: Aliyun CLI >= 3.3.3 required

Run aliyun version to verify >= 3.3.3. If not installed or version too low, run curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash to update, or see references/cli-installation-guide.md for installation instructions.

Pre-check: Aliyun CLI plugin update required

[MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation. [MUST] run aliyun plugin update to ensure that any existing plugins are always up-to-date.

[MUST] CLI User-Agent — Every aliyun CLI command invocation must include: --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler

At the start of the Core Workflow (before any CLI invocation): [MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution. Run the following commands before any CLI invocation:

aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler"

[MUST] Disable AI-Mode at EVERY exit point — Before delivering the final response for ANY reason, always disable AI-mode first. This applies to ALL exit paths: workflow success, workflow failure, error/exception, user cancellation, session end, or any other scenario where no further CLI commands will be executed. AI-mode is only used for Agent Skill invocation scenarios and MUST NOT remain enabled after the skill stops running.

aliyun configure ai-mode disable

Authentication Configuration

Pre-check: Alibaba Cloud Credentials Required

Security Rules:

NEVER read, output, or print AK/SK values

NEVER ask users to input AK/SK directly

ONLY use aliyun configure list to check credential status
aliyun configure list
Check the output for a valid profile. If no valid profile exists, STOP here.

RAM Permission Requirements

Permission Name	Description
`yundun-sas:DescribeSuspEvents`	Query alert list
`yundun-sas:DescribeSecurityEventOperations`	Query available operations
`yundun-sas:HandleSecurityEvents`	Handle alerts
`yundun-sas:DescribeSecurityEventOperationStatus`	Query handling status

For detailed policies, see references/ram-policies.md

[MUST] Permission Failure Handling: When permission errors occur:

Read references/ram-policies.md for required permissions

Use ram-permission-diagnose skill to guide user

Wait until user confirms permissions granted

Core Workflow

Step 0: Identify Query Scenario (Critical)

⚠️ IMPORTANT: Choose the correct API based on user input

Scenario	User Input Example	Correct Approach
User specified alert ID	"Query alert 702173474"	Directly call `DescribeSecurityEventOperations --SecurityEventId {ID}`
User did not specify alert ID	"View my alerts"	Execute Step 1 to query alert list

Scenario A: User specified alert ID → Verify alert exists:

aliyun sas DescribeSecurityEventOperations \
  --SecurityEventId {AlertID} \
  --Lang zh \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler

Success → Alert exists, proceed to Step 5
Failure (SecurityEventNotExists) → See references/error-handling.md

Scenario B: User did not specify alert ID → Proceed to Step 1

Step 1: Query Alert List

aliyun sas DescribeSuspEvents \
  --Lang zh \
  --From sas \
  --CurrentPage 1 \
  --PageSize 10 \
  --Levels "serious,suspicious,remind" \
  --Dealed N \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler 2>/dev/null | jq '.SuspEvents[] | {Id, Name: .AlarmEventNameDisplay, AlarmEventType, Level, InternetIp, IntranetIp, LastTime, EventStatus, Uuid}'

Key Response Fields:

Field	Description
Id	Alert event ID (core field)
AlarmEventNameDisplay	Alert name
AlarmEventType	Alert type
Level	Severity (serious/suspicious/remind)
EventStatus	1=pending, 2=ignored, 8=false positive, 32=completed

Step 2: Display Alert Information and Recommendations

Display Format:

Alert List (Total X items):

[Alert 1] ID: 7009607xx
- Name: ECS login from unusual location
- Type: Unusual Login
- Severity: suspicious
- Asset: 47.xxx.xxx.xxx / 10.xxx.xxx.xxx
- Status: Pending
- Time: 2026-03-19 14:11:05
- Recommended Action: Block IP
- Reason: Unusual login behavior detected

For operateCode mappings and recommendation rules, see references/operation-codes.md

Step 3: Determine Handling Intent

Case A: User specified handling method → Proceed to Step 4

Case B: User did not specify → Must ask user:

Please confirm how to handle these alerts:

1. ✅ Handle all using recommended methods
2. 🔧 Custom handling method
3. ❌ Cancel

Please select (enter number):

Step 4: Query Available Handling Operations

⚠️ Strict Constraint: Each alert's available operations must be queried individually

NEVER assume one alert's operations apply to another

MUST call DescribeSecurityEventOperations for each alert

aliyun sas DescribeSecurityEventOperations \
  --SecurityEventId {AlertID} \
  --Lang zh \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler

⚠️ Critical: Only execute operations where UserCanOperate=true

Step 5: Build Parameters and Execute

Quick Reference - Common Operations:

OperationCode	OperationParams	Notes
block_ip	`{"expireTime":1773991205392}`	expireTime = current + duration (ms)
kill_and_quara	`{"subOperation":"killAndQuaraFileByMd5andPath"}`
virus_quara	`{"subOperation":"quaraFileByMd5andPath"}`
quara	`{}`
ignore	`{}`
manual_handled	`{}`
advance_mark_mis_info	`{}` + MarkMissParam	See workflow-details.md

Example - ignore:

aliyun sas HandleSecurityEvents \
  --SecurityEventIds.1 7009586xx \
  --OperationCode ignore \
  --OperationParams '{}' \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler

Example - kill_and_quara:

aliyun sas HandleSecurityEvents \
  --SecurityEventIds.1 7008619xx \
  --OperationCode kill_and_quara \
  --OperationParams '{"subOperation":"killAndQuaraFileByMd5andPath"}' \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler

Example - block_ip (7 days):

# Calculate: current_timestamp_ms + 7*24*60*60*1000
aliyun sas HandleSecurityEvents \
  --SecurityEventIds.1 7009607xx \
  --OperationCode block_ip \
  --OperationParams '{"expireTime":1773991205392}' \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler

Example - advance_mark_mis_info:

aliyun sas HandleSecurityEvents \
  --SecurityEventIds.1 7009586xx \
  --OperationCode advance_mark_mis_info \
  --OperationParams '{}' \
  --MarkMissParam '[{"uuid":"ALL","field":"loginSourceIp","operate":"strEqual","fieldValue":"59.82.xx.xx"}]' \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler

⚠️ For advanced whitelist (advance_mark_mis_info):

Must ask user about whitelist rules and scope

Must preserve existing MarkField rules

See references/workflow-details.md for detailed process

For complete CLI examples and parameter details, see references/workflow-details.md

Step 6: Query Handling Status

⚠️ CLI Requirement: Must pass both TaskId and SecurityEventIds

aliyun sas DescribeSecurityEventOperationStatus \
  --TaskId 290511xx \
  --SecurityEventIds.1 7009607xx \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-sas-alert-handler

Polling Logic:

TaskStatus=Processing → Wait 2s, retry (max 5 times)
After 10s still not complete → Mark as failed
TaskStatus=Success → Handling successful
TaskStatus=Failure → Check ErrorCode

Step 7: Loop to Handle Other Alerts

If there are other alerts, repeat Steps 3-6. Maximum 20 alerts per batch.

Step 8: Results Summary

========== Handling Results Summary ==========

✅ Successfully Handled: 3 items
  [Alert 7009607xx] Block IP - Success

❌ Handling Failed: 1 item
  [Alert 7008557xx] Kill and Quarantine - Failed (AgentOffline)

Total: 4 items, Success 3, Failed 1

For detailed format, see references/error-handling.md

operateCode Quick Reference

operateCode	Description	Additional Params
block_ip	Block IP	expireTime (required)
kill_and_quara	Kill and Quarantine	subOperation (required)
virus_quara	Quarantine File	subOperation (required)
quara	Quarantine	None
advance_mark_mis_info	Advanced Whitelist	MarkMissParam
ignore	Ignore	None
manual_handled	Mark as Handled	None
kill_process	Kill Process	None

For complete operateCode categories and details, see references/operation-codes.md

Error Handling

Error Scenario	Handling Method
UserCanOperate=false	Operation not supported, version limitation
Timeout (>10s)	Mark as failed, continue next
*.AgentOffline	Client offline, cannot handle
*.ProcessNotExist	Suggest using virus_quara_bin
NoPermission	Contact admin for authorization
SecurityEventNotExists	Search in handled alerts first

For detailed error handling procedures, see references/error-handling.md

Best Practices

Query before handling: Call DescribeSecurityEventOperations first
Batch limit: Maximum 20 alerts per batch
Preserve existing rules: When using advanced whitelist, merge existing MarkField rules
Timeout handling: Polling over 10 seconds = failed
User confirmation: Must confirm intent before handling
Logging: Record all operations for auditing

Reference Documents

Document	Description
references/workflow-details.md	Detailed workflow, CLI examples, advanced whitelist
references/operation-codes.md	Complete operateCode reference
references/error-handling.md	Error handling procedures
references/related-apis.md	API parameter details
references/ram-policies.md	RAM permission policies
references/verification-method.md	Verification methods
references/cli-installation-guide.md	CLI installation guide

Usage Guidance

Key points to consider before installing or enabling this skill: - Metadata vs reality: The skill documentation requires the Aliyun CLI and Alibaba Cloud credentials and RAM permissions (including HandleSecurityEvents), but the registry metadata does not declare any required binaries or credentials. Treat this as a red flag — ask the publisher (or the registry owner) to correct the metadata before granting access. - Minimum permissions: If you will use it, do not grant full HandleSecurityEvents/FullAccess to an untrusted agent. Start by testing with read-only permissions (DescribeSuspEvents, DescribeSecurityEventOperations, DescribeSecurityEventOperationStatus) to verify behavior; only grant HandleSecurityEvents when you explicitly trust the agent and have reviewed the workflow. - Prefer temporary creds or instance roles: Use STS temporary tokens or an ECS RAM role (if running on ECS) instead of long-lived AK/SK. That limits exposure if the agent or skill is compromised. - Confirm user-interaction model: Ensure the agent requires explicit user confirmation before executing any destructive actions (block_ip, kill_and_quara, quarantine, whitelist changes). The SKILL.md describes prompts, but confirm your agent enforces them. - Verify CLI downloads manually: The docs point to Alibaba's CDN for CLI binaries. If you must download, verify the URL and checksum, and avoid running unreviewed install scripts as root. - Audit and logging: Ensure audit logs and CloudTrail-equivalent (Alibaba Cloud audit) are enabled so handling operations are recorded and traceable. - Sandbox first: Run the skill and commands in a controlled/test account or sandbox with limited privileges to validate behavior before using in production. - Ask for corrected metadata: The registry entry should explicitly list required binaries (aliyun, jq), required environment variables or primary credential, and a clear list of required RAM permissions. If the publisher cannot or will not provide accurate metadata, treat the skill as higher risk.

Capability Analysis

Type: OpenClaw Skill Name: alibabacloud-sas-alert-handler Version: 0.0.1 The skill bundle is a legitimate tool for managing Alibaba Cloud Security Center (SAS) alerts via the Aliyun CLI. It provides comprehensive workflows for querying, analyzing, and remediating security events (e.g., blocking IPs, quarantining files) while explicitly instructing the agent to never expose credentials and to seek user confirmation before executing destructive actions. The code and instructions in SKILL.md and the reference documents are strictly aligned with the stated purpose and follow security best practices, such as using specific RAM permissions and including a custom user-agent for auditing.

Capability Assessment

⚠ Purpose & Capability

The skill's name and description match Alibaba Cloud SAS alert handling. However the registry metadata declares no required binaries, no required environment variables, and no primary credential, while the SKILL.md explicitly requires the Aliyun CLI (aliyun >= 3.3.1), Alibaba Cloud credentials (AK/SK, STS, or ECS RAM role), and specific RAM permissions (including HandleSecurityEvents). The declared metadata is incomplete and does not reflect what the skill actually needs to function.

⚠ Instruction Scope

The runtime instructions direct the agent to run many aliyun CLI commands that query and perform destructive operations (HandleSecurityEvents, block_ip, kill_and_quara, advance_mark_mis_info, etc.). They also use shell tooling (jq, grep, wget, tar, sleep). The docs reference reading and securing ~/.aliyun/config.json and environment variables like ALIBABA_CLOUD_ACCESS_KEY_ID / ALIBABA_CLOUD_ACCESS_KEY_SECRET, but those env vars and required binaries are not declared in metadata. The skill's instructions therefore require access to credentials and control over cloud resources, which is greater scope than the registry metadata implies.

ℹ Install Mechanism

This is an instruction-only skill (no install spec). The docs include instructions to download the Aliyun CLI from official aliyuncdn URLs and to install/move the binary to /usr/local/bin. Downloading an external binary is expected for installing the CLI, and the URLs shown appear to be Alibaba's official CDN — that is reasonable. Because there is no install spec recorded in the registry, the agent's platform won't perform an audited install; users or agent scripts would perform manual downloads, which increases operational risk if users blindly follow instructions. The skill itself does not ship code, so no embedded payloads were scanned.

⚠ Credentials

The instructions require cloud credentials and specific RAM permissions (including HandleSecurityEvents, which permits modifying/acting on hosts). Those privileges are proportionate to a handler that executes blocks/quarantine, but the registry metadata lists no required credentials or primaryEnv. There is a mismatch: the skill effectively needs sensitive credentials and potentially broad permissions, yet does not declare them. That omission prevents proper gating and review before granting access. Also the docs reference multiple authentication modes and environment variables (ALIBABA_CLOUD_ACCESS_KEY_ID/SECRET, STS token, ECS RAM role) that are not surfaced in the skill metadata.

ℹ Persistence & Privilege

always is false (good). disable-model-invocation is false (normal), so the agent could invoke the skill autonomously. Combined with the skill's ability to perform destructive cloud actions when credentials/permissions are present, autonomous invocation increases blast radius. This is not itself disqualifying, but it is important to ensure the agent is not allowed to run handling operations without explicit user confirmation and that granted permissions follow least privilege.

Version History

v0.0.1

Initial release of Alibaba Cloud Security Center (SAS) CWPP alert handling skill. - Query, analyze, and handle security alerts from Alibaba Cloud Security Center (SAS/Aegis) - Support querying alert list and detailed information - Recommend and execute alert handling actions (ignore, whitelist, block, quarantine, etc.) - Validate permissions, environment, and credentials with detailed guidance for troubleshooting - Step-by-step workflow for full lifecycle alert handling, including polling status and summarizing results

Metadata

Slug alibabacloud-sas-alert-handler

Version 0.0.1

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Alibabacloud Sas Alert Handler?

Alibaba Cloud Security Center (SAS) CWPP host security alert handling skill. Used for querying, analyzing, and handling security alerts from Cloud Security C... It is an AI Agent Skill for Claude Code / OpenClaw, with 92 downloads so far.

How do I install Alibabacloud Sas Alert Handler?

Run "/install alibabacloud-sas-alert-handler" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Alibabacloud Sas Alert Handler free?

Yes, Alibabacloud Sas Alert Handler is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Alibabacloud Sas Alert Handler support?

Alibabacloud Sas Alert Handler is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Alibabacloud Sas Alert Handler?

It is built and maintained by alibabacloud-skills-team (@sdk-team); the current version is v0.0.1.

More Skills

Alibabacloud Sas Alert Handler