← 返回 Skills 市场
sdk-team

Alibabacloud Governance Evaluation Report

作者 alibabacloud-skills-team · GitHub ↗ · v0.0.1 · MIT-0
cross-platform ✓ 安全检测通过
135
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install alibabacloud-governance-evaluation-report
功能描述
Alibaba Cloud Governance Center evaluation report skill. Use for querying governance maturity check results, generating structured risk reports, and account...
使用说明 (SKILL.md)

Alibaba Cloud Governance Center Evaluation Report

Guide users to discover governance risks, focus on critical issues, and take remediation actions through a progressive drill-down workflow.

Scenario Description

This skill is a problem-discovery and resolution guide — not a comprehensive audit report generator. It operates as a progressive disclosure funnel:

  1. Overview (quick diagnosis) — Score + pillar distribution + top critical risks → guide user to choose a direction
  2. Pillar analysis (focused drill-down) — All risks in a specific domain, controlled by severity → guide user to specific items
  3. Detail (deep dive) — Single check item with full remediation steps → guide user to related items or resources
  4. Resources (action) — Non-compliant resource listing for targeted remediation

Each layer focuses on the most important information and guides the user to the next level. Avoid information overload — keep output concise and actionable.

Architecture: Governance Center API → CLI (aliyun governance) → governance_query.py (merge + cache) → JSON output → Agent report

How It Works

Data Sources — Three APIs provide all data:

  1. list-evaluation-metadata — Check item definitions (name, description, pillar, level, remediation)
  2. list-evaluation-results — Actual results (status, risk, compliance rate, score)
  3. list-evaluation-metric-details — Non-compliant resource details for a specific check item

Processing — The script (governance_query.py) merges data sources and caches results for 1 hour. It provides 4 query modes: overview, pillar, detail, resources.

Output — Structured JSON for Agent to generate user-friendly reports. Reports are output directly in the conversation as formatted text, NOT written to files.

Prerequisites

Pre-check: Aliyun CLI >= 3.3.0 required Run aliyun version to verify. If not installed or version too low, see references/cli-installation-guide.md for installation instructions. Then [MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.

aliyun version                                    # >= 3.3.0
aliyun configure set --auto-plugin-install true   # Enable auto plugin install
python3 --version                                 # Python 3.x

Authentication

Configure CLI authentication (OAuth recommended):

# OAuth mode (recommended)
aliyun configure --mode OAuth

## RAM Policy

Requires Governance Center read permissions. See [references/ram-policies.md](references/ram-policies.md) for full policy.

Minimum required permissions:
- `governance:ListEvaluationMetadata`
- `governance:ListEvaluationResults`

Or attach system policy: **AliyunGovernanceReadOnlyAccess**

## Parameter Confirmation

This skill has minimal user-specific parameters. The following may require confirmation:

| Parameter Name | Required/Optional | Description | Default Value |
|----------------|-------------------|-------------|---------------|
| `--profile` | Optional | Aliyun CLI profile name | Default profile |
| `-c, --category` | Required (pillar mode) | Pillar category name | N/A |
| `--id` | Required (detail/resources mode) | Check item metric ID | N/A |
| `--keyword` | Optional (detail mode) | Search keyword for check items | N/A |
| `--max-results` | Optional (resources mode) | Max results per page | 50 |

## Verification

Verify setup before use:

```bash
# Test CLI connection
aliyun governance list-evaluation-results \
  --user-agent AlibabaCloud-Agent-Skills \
  --cli-query "Results.TotalScore"

# Test script
python3 scripts/governance_query.py overview

See references/verification-method.md for detailed steps.

Core Workflow

IMPORTANT: Parameter Confirmation — Before executing any command or API call, ALL user-customizable parameters (e.g., --profile, --category, --id, --keyword, --max-results, etc.) MUST be confirmed with the user. Do NOT assume or use default values without explicit user approval.

IMPORTANT: Output Format — Reports are format specifications for conversation output only. Always output report content directly in the chat message as formatted Markdown. Do NOT create or write report files (e.g., .md, .txt, .html). No file generation is needed.

Script location: scripts/governance_query.py

Global Options

Option Description
--refresh Force refresh cache (default: 1-hour TTL)

Mode 1: overview — Overall Maturity Report

When to use: User asks about overall account health, maturity score, or wants a summary.

python3 scripts/governance_query.py overview
python3 scripts/governance_query.py overview -r Error              # Only high-risk items
python3 scripts/governance_query.py overview -r Error,Warning      # High + medium risk
python3 scripts/governance_query.py --refresh overview             # Force fresh data

Options:

Option Description
-r, --risk Filter RiskyItems by risk level (comma-separated: Error, Warning, Suggestion). PillarSummary and RiskDistribution are always complete.

Output JSON fields:

  • TotalScore — Overall maturity score (0.0-1.0)
  • PillarSummary — Per-pillar statistics (checked/risky counts, always unfiltered)
  • RiskDistribution — Count by risk level (always unfiltered)
  • RiskyItems — Items with risk, filtered by --risk if specified, sorted by severity
  • RiskFilter — Applied risk filter values (only present when --risk is used)

Report format: Read references/report-format-overview.md for the exact output format.

Mode 2: pillar — Pillar-Specific Report

When to use: User asks about a specific domain (security, reliability, cost, etc.).

python3 scripts/governance_query.py pillar -c \x3CCategory> [options]

Options:

Option Description
-c, --category Required. Pillar name (see below)
--risky Only show items with risk (exclude compliant)
-l, --level Filter by recommendation level (comma-separated)
-r, --risk Filter by actual risk level (comma-separated)

Category values:

  • Security — 安全
  • Reliability — 稳定
  • CostOptimization — 成本
  • OperationalExcellence — 效率
  • Performance — 性能

Level values: Critical, High, Medium, Suggestion

Risk values: Error, Warning, Suggestion, None

Examples:

# 安全支柱所有风险项
python3 scripts/governance_query.py pillar -c Security --risky

# 仅严重和高优先级的错误/警告
python3 scripts/governance_query.py pillar -c Security -l Critical,High -r Error,Warning --risky

Output JSON fields:

  • Category, CategoryCN — Pillar name
  • MatchedCount — Number of matched items
  • Items — List of check items with status

Report format: Read references/report-format-pillar.md for the exact output format.

Mode 3: detail — Check Item Detail

When to use: User asks about a specific check item or how to fix an issue.

python3 scripts/governance_query.py detail --id \x3Cmetric-id>
python3 scripts/governance_query.py detail --keyword \x3Csearch-term>

Options:

Option Description
--id Check item ID (e.g., apbxftkv5c)
--keyword Search by name/description (if multiple matches, shows list)

Examples:

# 按 ID 查询
python3 scripts/governance_query.py detail --id apbxftkv5c

# 按关键字搜索
python3 scripts/governance_query.py detail --keyword "MFA"

Output JSON fields:

  • Basic info: Id, DisplayName, Description, Category
  • Status: Status, Risk, Compliance, NonCompliant
  • Remediation — Fix steps (Manual/Analysis/QuickFix)

Report format: Read references/report-format-detail.md for the exact output format. The detail format also covers the resources listing when needed.

Mode 4: resources — Non-Compliant Resources

When to use: User wants to see which specific resources failed a check item.

python3 scripts/governance_query.py resources --id \x3Cmetric-id>

Options:

Option Description
--id Required. Check item ID
--max-results Max results per page (default: 50)

Examples:

# 查询未启用 MFA 的 RAM 用户列表
python3 scripts/governance_query.py resources --id apbxftkv5c

# 查询开放高危端口的安全组
python3 scripts/governance_query.py resources --id a9g6pv7r5b

Output JSON fields:

  • MetricId — Check item ID
  • TotalCount — Number of non-compliant resources
  • Resources[] — List of resources:
    • ResourceId, ResourceName, ResourceType
    • RegionId, ResourceOwnerId
    • Classification — Risk classification
    • Properties — Resource-specific attributes

Mode Selection Guide

User says... Use mode Command Report format
"查查我的账号安全吗" / "成熟度得分" / "分析下治理检测结果" overview overview overview
"有哪些高风险项" / "看下所有高风险" overview overview -r Error overview
"中风险以上的问题" overview overview -r Error,Warning overview
"安全方面有哪些问题" / "XX支柱的风险" pillar pillar -c Security --risky pillar
"网络安全相关的检测项" / "数据库风险" pillar + keyword filter pillar -c Security --risky then filter by keyword pillar
"高优先级的问题" pillar pillar -c Security -l Critical,High --risky pillar
"MFA怎么修" / "XX检测项详情" detail detail --keyword "MFA" detail
"哪些用户没开MFA" / "不合规资源有哪些" detail + resources detail --id xxx then resources --id xxx detail

Default: If user doesn't specify pillar or check item, use overview.

Report format selection: After determining the query mode, read the corresponding report format reference file before generating output. Only read the format file that matches the user's intent — do not read all format files at once.

Field Reference

Field Values Note
Risk Error(高风险) > Warning(中风险) > Suggestion(低风险) > None(合规) Actual detected risk
RecommendationLevel Critical > High > Medium > Suggestion Recommended priority
Status Finished / NotApplicable / Failed Check execution status
Compliance 0.0 - 1.0 1.0 = fully compliant

Cache & Cleanup

Only metadata (check item definitions) is cached locally — results are always fetched in real-time.

  • Cache location: ~/.governance_cache/metadata.json
  • TTL: 24 hours (metadata rarely changes)
  • list-evaluation-results and list-evaluation-metric-details are never cached
# Force refresh metadata cache
python3 scripts/governance_query.py --refresh overview

# Clear cache manually
rm -rf ~/.governance_cache/

Best Practices

  1. Focus, don't dump — Each report layer should highlight what matters most, not list everything. Read the corresponding report format reference for quantity control rules
  2. Follow the funnel — Start with overview, guide user to pillar, then to detail. Don't skip layers unless user explicitly asks for a specific item
  3. Use --risky filter for pillar mode — Reduces noise by hiding compliant items when investigating issues
  4. Prioritize by Risk + Level — Focus on Error risk with Critical/High recommendation level first
  5. Follow remediation guidance — Use detail mode to get actionable fix steps before modifying resources
  6. Always guide next steps — Every report must end with follow-up guidance based on actual data, helping users continue exploring
  7. Cache management — Only metadata is cached (24h TTL); results are always real-time. Use --refresh to force metadata refresh

References

File Content
report-format-overview.md Report format: overall governance overview
report-format-pillar.md Report format: pillar / keyword aggregated analysis
report-format-detail.md Report format: single check item detail + resources
related-apis.md CLI commands and API details
ram-policies.md Required permissions
verification-method.md Verification steps
cli-installation-guide.md CLI installation
安全使用建议
This skill appears to do what it says: it talks to Alibaba Cloud Governance Center via the Aliyun CLI and produces structured reports. Before installing or running it: - Be prepared to authenticate the Aliyun CLI (AK/STSToken/RAM role). Use least-privilege credentials (AliyunGovernanceReadOnlyAccess) and do NOT use root account keys. - Review and accept the side effects: the SKILL.md asks you to run `aliyun configure set --auto-plugin-install true` (this allows the CLI to download plugins) and the script will create a cache directory at ~/.governance_cache. If you dislike automatic plugin installs, install the governance plugin manually instead. - The agent will run the python script which invokes `aliyun governance ...` via subprocess; ensure you confirm any profile/metric IDs/filters before the agent executes commands (the skill instructs confirmation, but the agent may run autonomously depending on your agent settings). - Inspect the cache directory after first run and consider file permissions (cache contains API responses). If you need higher assurance, run the Python script locally yourself to observe behavior before allowing the agent to use the skill. Confidence is medium because the package has no published homepage/author metadata; exercise usual caution with unknown sources even when functionality is coherent.
功能分析
Type: OpenClaw Skill Name: alibabacloud-governance-evaluation-report Version: 0.0.1 The skill bundle is a legitimate tool for generating Alibaba Cloud Governance Center evaluation reports. The core logic in `scripts/governance_query.py` interacts with the official Alibaba Cloud CLI (`aliyun`) using safe subprocess calls to fetch governance metadata and results. The instructions in `SKILL.md` and the various reference files (e.g., `report-format-overview.md`, `ram-policies.md`) are well-documented, emphasize user confirmation for parameters, and restrict the agent to providing formatted chat responses rather than performing unauthorized file system or network operations. No indicators of malicious intent, data exfiltration, or prompt injection attacks were identified.
能力标签
requires-walletrequires-oauth-token
能力评估
Purpose & Capability
Name/description match the implementation: the Python script calls the Aliyun CLI (aliyun governance ...) to retrieve metadata, results, and metric details and produces JSON for the agent. No unrelated services, binaries, or credentials are requested by the skill itself; the required permissions (governance:ListEvaluationMetadata, ListEvaluationResults, ListEvaluationMetricDetails) are exactly what the described functionality needs.
Instruction Scope
SKILL.md correctly documents running the Aliyun CLI and the Python script and includes a strong rule: confirm user parameters before executing commands. The script itself calls the CLI via subprocess.run and will read/write a local cache (~/.governance_cache). Also the instructions require running `aliyun configure set --auto-plugin-install true`, which enables automatic plugin installation in the CLI (a side effect that causes the CLI to download plugins at runtime). These behaviors are coherent with the skill's purpose but are side effects you should be aware of.
Install Mechanism
No install spec is present (instruction-only plus a script). That is lower risk than arbitrary remote installs. The CLI is expected and the README points to official Aliyun CLI release URLs for manual installation. No third-party or shortener URLs are used for installing the skill itself.
Credentials
The skill does not declare or request unrelated environment variables. The needed credentials are the standard Alibaba Cloud CLI credentials (AK/STStoken/RAM role/etc.) described in the docs, which are appropriate and proportional to querying Governance Center. Note: the skill will use whatever credentials the CLI is configured with (including env vars or ~/.aliyun/config.json), so ensure least-privilege (AliyunGovernanceReadOnlyAccess) and avoid using root credentials.
Persistence & Privilege
always:false (no forced permanent inclusion). The script creates and uses a cache directory in the user's home (~/.governance_cache) and may remove cached JSON files when --refresh is used. This is reasonable for performance but is persistent state written to the user's home—review and control that directory if needed. The skill does not modify other skills or global agent settings.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install alibabacloud-governance-evaluation-report
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /alibabacloud-governance-evaluation-report 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.0.1
Initial release of Alibaba Cloud Governance Center evaluation report skill. - Provides interactive maturity, risk, and compliance reporting powered by the Alibaba Cloud Governance Center APIs. - Supports progressive drill-down workflow: overview → pillar analysis → check detail → non-compliant resource listing. - Outputs are structured and formatted for chat, not as files. - Requires Alibaba Cloud CLI (≥3.3.0) with Governance Center read permissions. - All user-specific parameters (profile, pillar, check ID, etc.) must be confirmed before execution.
元数据
Slug alibabacloud-governance-evaluation-report
版本 0.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Alibabacloud Governance Evaluation Report 是什么?

Alibaba Cloud Governance Center evaluation report skill. Use for querying governance maturity check results, generating structured risk reports, and account... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 135 次。

如何安装 Alibabacloud Governance Evaluation Report?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install alibabacloud-governance-evaluation-report」即可一键安装,无需额外配置。

Alibabacloud Governance Evaluation Report 是免费的吗?

是的,Alibabacloud Governance Evaluation Report 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Alibabacloud Governance Evaluation Report 支持哪些平台?

Alibabacloud Governance Evaluation Report 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Alibabacloud Governance Evaluation Report?

由 alibabacloud-skills-team(@sdk-team)开发并维护,当前版本 v0.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 留言讨论