SLS + ARMS 全链路问题排查

查询阿里云SLS日志和ARMS调用链，结合源码和数据库进行全链路问题排查。 完整流程：查日志 → 画调用链 → 定位源码 → 排查数据库 → 给出修复方案。 Use when: 用户说「分析sls」「分析问题」或想排查业务服务/线上接口/用户请求的报错或异常。 触发示例：「分析sls」「帮我查一下这个trace_...

What to consider before installing: - Credential mismatch: The skill metadata asks for ALIBABA_CLOUD_ACCESS_KEY_ID/SECRET, but the script expects many SLS_* and ARMS_* env vars (SLS_PROJECT, SLS_LOGSTORE, ARMS_REGION_ID, etc.). Confirm which exact credentials are required. Do not assume the metadata is authoritative. - OpenClaw config access: The script will try to read ~/.openclaw/openclaw.json for env values. That file can contain other secrets (other skills' tokens, DB URLs). If you install/run this, it can access those values. Avoid putting production secrets in openclaw.json or remove/inspect those entries first. - Inspect the code yourself: Review scripts/query_trace.py fully (network calls, any hard-coded endpoints, where it sends collected logs, whether it writes files). Run it in a controlled environment before giving it real credentials. - Least privilege for credentials: If you must provide credentials, create dedicated AK/SK with the minimal permissions (read-only to the specific SLS project/logstores and ARMS read access) scoped to a non-production account if possible. - Database access: The skill promises automatic DB '排查' but declares no DB credentials. Determine how it will access databases (does it extract connection strings from openclaw.json or local files?). Do not allow it to use broad DB credentials. Prefer manual DB checks or provide read-only, limited-access test DB. - Prompt-injection behavior: SKILL.md enforces exact output templates and forbids normal agent behavior; this is an attempt to constrain or coerce the agent. That is suspicious—consider disabling autonomous invocation or avoid installing if you cannot audit/modify the skill. - Test in isolation: Before using on production traces, run the script in an isolated/VM environment with synthetic data and monitor network traffic and file system access. If you are not prepared to audit the script and control where credentials come from, treat this skill as high-risk and do not install it in environments containing sensitive production secrets.

Type: OpenClaw Skill Name: sls-trace-analysis Version: 1.0.0 The skill bundle provides a powerful tool for Alibaba Cloud SLS and ARMS log analysis but includes high-risk autonomous behaviors. Specifically, SKILL.md instructs the AI agent to automatically perform file system searches (using Grep/Read tools) and code analysis based on strings extracted from external log data (Step 5). This creates a significant risk of indirect prompt injection or path traversal if malicious content is present in the logs. Additionally, the Python script (query_trace.py) programmatically accesses the user's global '~/.openclaw/openclaw.json' file to retrieve sensitive Alibaba Cloud credentials. While these features align with the stated purpose of a 'Senior SRE' tool, the combination of automated local file access and credential handling based on remote data meets the threshold for a suspicious classification.