← Back to Skills Marketplace
Sre Publish
by
Diego Vieira
· GitHub ↗
· v1.0.2
· MIT-0
99
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install openclaw-aws-sre-report
Description
AWS SRE health check with FinOps — queries CloudWatch, SQS DLQ, and Cost Explorer, generates a Bedrock-powered incident diagnosis (Contexto, Soluções, CTAs),...
Usage Guidance
This package appears to implement the described AWS SRE + FinOps reporter, but proceed carefully. Key things to review before installing or running: 1) Credential handling — the code uses AWS SDK calls but the skill doesn't list AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY; ensure you supply credentials safely (instance role or environment vars) and avoid embedding long-lived keys in the skill config. 2) Data exposure — the reporter peeks at a DLQ message and will include findings in a Telegram message; if your DLQ can contain PII or secrets, disable the DLQ peek or send reports to a tightly controlled private chat only. 3) IAM permissions — follow least-privilege: only grant cloudwatch:GetMetricStatistics, sqs:GetQueueAttributes/ReceiveMessage (for the DLQ ARN), ce:GetCostAndUsage, and bedrock:InvokeModel as needed; test in a non-production account first. 4) Bedrock output risk — the model is instructed to include real CLI commands; models can hallucinate ARNs or unsafe steps despite guidance, so review any generated CTAs before executing them. 5) Fix the primaryEnv/requirements mismatch in config or SKILL.md (AWS_REGION is not a secret/credential) so expectations about where credentials come from are clear. If you cannot accept the DLQ->Telegram behavior or cannot tightly control the Telegram destination and IAM scope, do not install/run this skill.
Capability Assessment
Purpose & Capability
The code, dependencies, and declared env vars align with an AWS SRE/FinOps reporter (CloudWatch, SQS, Cost Explorer, Bedrock, Telegram). One oddity: primaryEnv is set to AWS_REGION — region is not a credential. The SDK calls will still require AWS credentials (IAM role or AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY) but those credentials are not listed as required envs.
Instruction Scope
Runtime instructions and code deliberately peek at a DLQ message and include it in a Bedrock-powered incident report which is then always sent to Telegram (SKILL.md requires sending even if Bedrock/Cost Explorer fail). That behavior is coherent with the stated purpose (diagnosis + CTAs) but it creates a clear privacy/exfiltration vector: any sensitive payload in the DLQ could be transmitted to an external Telegram chat. The SKILL.md does instruct 'Never delete DLQ messages' and 'peek only', but peeking plus reporting to an external endpoint is still data exfiltration risk that must be acknowledged.
Install Mechanism
No install spec is provided (instruction-only skill for the platform), but the package contains source and a normal package.json with standard aws-sdk dependencies. Nothing is downloaded from arbitrary URLs or obfuscated; Node >=20 and the official AWS SDK packages are used.
Credentials
Declared required env vars (TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, DLQ_URL, AUDIO_QUEUE_URL, LAMBDA_FUNCTIONS, AWS_REGION) are appropriate for the purpose. However: (1) the skill requires AWS API access (CloudWatch, SQS, Cost Explorer, Bedrock) but does not declare AWS credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_PROFILE) — it implicitly expects instance profile or out-of-band credentials; this mismatch could surprise users. (2) Posting DLQ message contents to Telegram may expose sensitive data; TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID are sensitive and must be protected.
Persistence & Privilege
The skill does not request always:true or any elevated platform persistence. It does not modify other skills or system-wide settings. Autonomous invocation is allowed by default (normal for skills) but not combined with other high-risk flags.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-aws-sre-report - After installation, invoke the skill by name or use
/openclaw-aws-sre-report - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
v1.0.2: Rescan after ClawHUB fix for .ts MIME type misdetection (openclaw/clawhub#1648).
v1.0.1
v1.0.1: Remove test artifacts and package-lock from published files. Security scan: CLEAN.
v1.0.0
Initial release: Easily run AWS SRE health checks with FinOps analysis and Telegram reporting.
- Queries AWS resources (CloudWatch, SQS DLQ, Lambda, Cost Explorer)
- Uses Amazon Bedrock for automated incident diagnosis
- Generates a structured, actionable SRE report (including context, findings, CTAs)
- Delivers results directly to Telegram chat
- Gracefully handles missing or delayed AWS data; ensures safe, “read-only” checks
- Simple configuration via environment variables
Metadata
Frequently Asked Questions
What is Sre Publish?
AWS SRE health check with FinOps — queries CloudWatch, SQS DLQ, and Cost Explorer, generates a Bedrock-powered incident diagnosis (Contexto, Soluções, CTAs),... It is an AI Agent Skill for Claude Code / OpenClaw, with 99 downloads so far.
How do I install Sre Publish?
Run "/install openclaw-aws-sre-report" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Sre Publish free?
Yes, Sre Publish is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Sre Publish support?
Sre Publish is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Sre Publish?
It is built and maintained by Diego Vieira (@vieiradiego); the current version is v1.0.2.
More Skills