功能描述

Alibaba Cloud KMS Secret Management Skill. Used for managing secrets in KMS, supporting create, delete, update, query operations, version management, and rot...

使用说明 (SKILL.md)

Alibaba Cloud KMS Secret Management

Name: Alibabacloud Kms Secret Manage
Author: sdk-team

This Skill provides core functionality for Alibaba Cloud Key Management Service (KMS) secret management, supporting CRUD operations on secrets.

Scenario Description

KMS Secret Management service is used to securely store, manage, and access sensitive information, such as:

Database connection credentials
API keys
OAuth tokens
Certificate private keys
Other sensitive data requiring secure storage

Architecture: Alibaba Cloud KMS Service + Secret Management (Secrets Manager)

graph TB
    User[Application/User] --> KMS[KMS Secret Management]
    KMS --> Secret[Generic Secret]
    Secret --> V1[Version 1]
    Secret --> V2[Version 2]
    Secret --> VN[Version N]
    KMS --> Rotation[Rotation Secret]
    Rotation --> RDS[RDS Managed Secret]
    Rotation --> RAM[RAM Managed Secret]
    Rotation --> ECS[ECS Managed Secret]
    Rotation --> Redis[Redis Managed Secret]
    Rotation --> PolarDB[PolarDB Managed Secret]

Environment Setup

Dependency: Aliyun CLI. If command not found error occurs, refer to references/cli-installation-guide.md for installation.

Timeout Configuration

Set appropriate timeouts for CLI commands to avoid hanging:

# Set timeout environment variables (in seconds)
export ALIBABA_CLOUD_CONNECT_TIMEOUT=30
export ALIBABA_CLOUD_READ_TIMEOUT=30

Or use command-line flags:

aliyun kms \x3Caction> --connect-timeout 30 --read-timeout 30 ...

Recommended timeout values:

Connection timeout: 30 seconds
Read timeout: 30 seconds

Security Rules

Prohibited: Reading, printing, or displaying AK/SK values

Prohibited: Requiring users to directly input AK/SK in conversation

Sensitive Data Masking: Secret values returned by GetSecretValue are masked by default (e.g., ***), only output in plaintext when user explicitly requests

RAM Permission Requirements

Ensure the executing user has the following KMS permissions. For detailed policies, see references/ram-policies.md.

Minimum Permissions (Read-Only):

kms:DescribeSecret, kms:ListSecrets, kms:GetSecretValue, kms:ListSecretVersionIds, kms:GetSecretPolicy

Full Permissions (Read-Write):

kms:CreateSecret, kms:DeleteSecret, kms:UpdateSecret, kms:DescribeSecret, 
kms:ListSecrets, kms:GetSecretValue, kms:PutSecretValue, kms:ListSecretVersionIds,
kms:UpdateSecretVersionStage, kms:UpdateSecretRotationPolicy, kms:RotateSecret,
kms:RestoreSecret, kms:SetSecretPolicy, kms:GetSecretPolicy,
kms:ListKmsInstances, kms:ListKeys, kms:CreateKey

Core Workflows

1. Create Secret

Creating a secret requires obtaining the KMS instance ID and encryption key ID first, then executing the creation.

# Step 1: Get KMS Instance ID
aliyun kms ListKmsInstances --PageNumber 1 --PageSize 10 --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills
# → Extract KmsInstances.KmsInstance[0].KmsInstanceId

# Step 2: Get Encryption Key ID
aliyun kms ListKeys --Filters '[{"Key":"KeySpec","Values":["Aliyun_AES_256"]},{"Key":"DKMSInstanceId","Values":["\x3Cinstance-id>"]}]' --PageNumber 1 --PageSize 10 --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills
# → Extract Keys.Key[0].KeyId

# Step 3: Create Secret (requires DKMSInstanceId and EncryptionKeyId)
aliyun kms CreateSecret --SecretName "\x3Csecret-name>" --SecretData "\x3Csecret-value>" --VersionId "\x3Cversion-id>" --EncryptionKeyId "\x3Ckey-id>" --DKMSInstanceId "\x3Cinstance-id>" --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills

2. List Secrets

aliyun kms ListSecrets --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills

3. Get Secret Value

Security Policy:

If user does NOT explicitly request the secret value: Only provide the CLI command or Python code script. DO NOT execute.

If user explicitly requests to get/retrieve/show the secret value: Provide the command/script first, then execute after user confirms.

CLI Command:

aliyun kms GetSecretValue --SecretName "\x3Csecret-name>" --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills

Python SDK Example:

from alibabacloud_tea_openapi.client import Client as OpenApiClient
from alibabacloud_tea_openapi import models as open_api_models
from alibabacloud_credentials.client import Client as CredentialClient
from alibabacloud_tea_util import models as util_models

credential = CredentialClient()
config = open_api_models.Config(credential=credential)
config.endpoint = 'kms.\x3Cregion-id>.aliyuncs.com'
client = OpenApiClient(config)

params = open_api_models.Params(
    action='GetSecretValue',
    version='2016-01-20',
    protocol='HTTPS',
    method='POST',
    auth_type='AK',
    style='RPC',
    pathname='/',
    req_body_type='json',
    body_type='json'
)

body = {'SecretName': '\x3Csecret-name>'}
runtime = util_models.RuntimeOptions()
request = open_api_models.OpenApiRequest(body=body)
response = client.call_api(params, request, runtime)
print(response.body)

Note:

Only execute the retrieval after user explicitly confirms

The secret value contains sensitive information that should be handled with care

Always remind user to execute in a secure environment (private terminal, no screen sharing, no logging)

4. Delete Secret

Pre-check before deletion (Safety Requirement):

Before force deleting a secret, always verify its existence and check if it's still in use:

# Step 1: Describe the secret to verify existence and check metadata
aliyun kms DescribeSecret --SecretName "\x3Csecret-name>" --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills
# → Check SecretName, CreateTime, and other metadata to confirm this is the correct secret

If DescribeSecret returns error (secret not found):

Stop and inform user: "Secret does not exist, no deletion needed"

If DescribeSecret succeeds:

Review the secret metadata
Confirm with user before proceeding with force deletion

# Step 2: Force delete (immediate deletion, cannot be recovered)
aliyun kms DeleteSecret --SecretName "\x3Csecret-name>" --ForceDeleteWithoutRecovery true --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills

Idempotency: If Forbidden.ResourceNotFound error is returned, it means the secret does not exist, treat as deletion successful and continue with subsequent operations.

5. Update Secret Value

aliyun kms PutSecretValue --SecretName "\x3Csecret-name>" --SecretData "\x3Cnew-secret-value>" --VersionId "\x3Cnew-version-id>" --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills

6. Describe Secret

aliyun kms DescribeSecret --SecretName "\x3Csecret-name>" --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills

7. List Secret Versions

aliyun kms ListSecretVersionIds --SecretName "\x3Csecret-name>" --IncludeDeprecated true --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills

8. Configure Rotation Policy

aliyun kms UpdateSecretRotationPolicy --SecretName "\x3Csecret-name>" --EnableAutomaticRotation true --RotationInterval 7d --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills

9. Restore Deleted Secret

aliyun kms RestoreSecret --SecretName "\x3Csecret-name>" --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills

Idempotency: If Rejected.ResourceInUse error is returned, it means the secret has been restored or was not deleted, treat as restore successful and continue with subsequent operations.

Advanced Features

For managed credentials and other advanced features, see references/managed-credentials.md.

Reference Links

Document	Description
references/related-apis.md	API detailed description
references/ram-policies.md	RAM permission policies
references/managed-credentials.md	Managed credentials guide

安全使用建议

This skill appears to be a genuine Alibaba Cloud KMS secret-management guide, but it omits an explicit declaration of how credentials will be provided. Before installing or invoking it: 1) Confirm how your agent/runtime will supply Alibaba Cloud credentials (environment vars, ~/.aliyun/config.json, ECS RAM role, or explicit user input). 2) Never paste AK/SK into a conversational prompt; prefer ECS RAM roles or short-lived STS tokens. 3) Be cautious with commands that retrieve secret values — the skill documents a good safety rule (only retrieve after explicit confirmation); keep that workflow and run sensitive commands in a private, audited terminal. 4) If you do not want the agent to ever access secrets autonomously, disable autonomous invocation or require manual confirmation for all sensitive operations. 5) For least privilege, grant only the specific KMS permissions required (e.g., GetSecretValue for runtime retrieval) rather than broad wildcards. If you want higher confidence, ask the publisher to update the skill metadata to declare required credential sources (primaryEnv) and to explicitly forbid reading host credential/config files without user consent.

功能分析

Type: OpenClaw Skill Name: alibabacloud-kms-secret-manage Version: 0.0.2 The skill bundle provides a legitimate and well-documented interface for managing Alibaba Cloud KMS secrets via the Aliyun CLI and Python SDK. The instructions in SKILL.md include explicit security safeguards, such as prohibiting the display of Access Keys, requiring user confirmation before retrieving secret values, and implementing safety checks before deletion. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found across the provided files (SKILL.md, related-apis.md, ram-policies.md).

能力评估

ℹ Purpose & Capability

Name/description and the CLI/SDK examples align with an Alibaba Cloud KMS secret-management skill. However, the skill does not declare any primary credential or required env vars even though every actionable CLI/SDK call requires Alibaba Cloud credentials (AK/SK, STS token, or an ECS RAM role). This omission is an inconsistency: a KMS management skill legitimately needs cloud credentials and should declare them (or document expected credential sources) explicitly.

ℹ Instruction Scope

SKILL.md contains concrete CLI commands, SDK examples, and safety rules (e.g., do not print AK/SK, only execute GetSecretValue after explicit user confirmation). That scope is appropriate for secret management. Minor concerns: the documentation and examples show how to configure credentials (including command-line flags with AK/SK) and reference config files (~/.aliyun/config.json) and several environment variables (ALIBABA_CLOUD_*). Those references grant the agent implicit discretion to use credentials/config stored on the host unless the platform restricts that — the skill should explicitly state how credentials will be obtained and handled at runtime.

✓ Install Mechanism

Instruction-only skill with no install spec and no code files — lowest installation risk. CLI install docs reference official Alibaba download hosts (aliyuncli.alicdn.com) which are expected for Aliyun CLI installation; no third-party or opaque downloads are present.

⚠ Credentials

The skill lists no required environment variables or primary credential, but the content explicitly references and relies on environment variables and credential configuration (ALIBABA_CLOUD_ACCESS_KEY_ID/SECRET, ALIBABA_CLOUD_REGION_ID, ALIBABA_CLOUD_* timeouts, and ~/.aliyun/config.json). That is a proportionality mismatch: the skill should declare the credentials it needs. Also the docs include command examples for setting AK/SK via CLI flags, which can encourage insecure handling of secrets if followed without caution.

✓ Persistence & Privilege

always is false and there is no install-time persistence. The skill can be invoked autonomously (platform default), which is normal for skills; that combined with credential access is worth user attention but is not flagged by itself.

版本历史

v0.0.2

alibabacloud-kms-secret-manage v0.0.2 - Added detailed usage and workflow instructions for all Alibaba Cloud KMS secret management operations (create, delete, update, query, versioning, rotation, restore). - Introduced explicit security rules, including sensitive data masking, user confirmation for secret retrieval, and AK/SK handling prohibitions. - Documented minimal and full RAM permission requirements for skill operation. - Provided practical CLI and Python SDK examples for interacting with Alibaba Cloud KMS secrets. - Outlined dependency and timeout setup for stable CLI usage. - Included safety checks and confirmations for destructive actions such as secret deletion.

元数据

Slug alibabacloud-kms-secret-manage

版本 0.0.2

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Alibabacloud Kms Secret Manage 是什么？

Alibaba Cloud KMS Secret Management Skill. Used for managing secrets in KMS, supporting create, delete, update, query operations, version management, and rot... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 99 次。

如何安装 Alibabacloud Kms Secret Manage？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install alibabacloud-kms-secret-manage」即可一键安装，无需额外配置。

Alibabacloud Kms Secret Manage 是免费的吗？

是的，Alibabacloud Kms Secret Manage 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Alibabacloud Kms Secret Manage 支持哪些平台？

Alibabacloud Kms Secret Manage 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Alibabacloud Kms Secret Manage？

由 alibabacloud-skills-team（@sdk-team）开发并维护，当前版本 v0.0.2。

Alibabacloud Kms Secret Manage