by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions fit its stated purpose (querying Aliyun SLS) but metadata omits required credential/config declarations and the runtime guidance encourages practices (passing/storing keys) that could expose secrets — review before installing or supplying credentials.
评估建议
This skill appears to do what it says (query Aliyun SLS) but pay attention before supplying credentials. The SKILL.md expects access_id/access_key and to write a config file (~/.aliyunlogcli), yet the registry metadata does not declare those requirements — that mismatch should be resolved by the publisher. If you install/use it:
- Prefer using a low-privilege or temporary STS token, not long-lived production keys.
- Avoid passing secrets on the command line when possible (they appear in process ...详细分析 ▾
ℹ 用途与能力
Name/description match the instructions: the SKILL.md describes installing an Aliyun SLS CLI and running queries. However the registry metadata declares no required credentials or config paths while the instructions clearly require access_id/access_key and write/read a config file (~/.aliyunlogcli). This mismatch is an incoherence in the manifest.
ℹ 指令范围
Instructions stay within the stated purpose (install CLI, configure credentials, run queries). They instruct the agent to prompt the user for access_id/access_key and to consult/append the local references/project_mapping.md. They do not ask to read unrelated system files. Caveat: they recommend passing credentials as CLI flags and storing credentials in a plaintext config, both of which can leak secrets (process lists, disk).
ℹ 安装机制
This is an instruction-only skill (no install spec). The doc tells users to run a pip install (uv pip install -U aliyun-log-cli). That is a reasonable approach, but 'uv pip' is an environment-specific wrapper not declared in metadata; the package name should be validated (source/trust of 'aliyun-log-cli' on PyPI). No remote arbitrary downloads or extract steps are present.
⚠ 凭证需求
The skill requires Aliyun access_id/access_key to operate, but the registry metadata lists no required env vars or primary credential and no required config path. The SKILL.md also instructs storing credentials in ~/.aliyunlogcli and passing creds via command-line flags — both increase the risk of credential exposure. The absence of declared credential requirements in metadata is a notable mismatch.
ℹ 持久化与权限
always is false and the skill does not request elevated platform privileges. It does instruct creating/updating a local config file (~/.aliyunlogcli) and appending entries to references/project_mapping.md; these are limited to the skill's own files and are normal but you should be aware they persist credentials/mappings on disk.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/22
阿里云日志查询
● 无害
安装命令 点击复制
官方npx clawhub@latest install aliyun-log-query
镜像加速npx clawhub@latest install aliyun-log-query --registry https://cn.clawhub-mirror.com
技能文档
安装
使用 uv 安装 CLI:
uv pip install -U aliyun-log-cli
确认安装:
aliyunlog --version
配置认证
CLI 支持三种方式(优先级:命令行参数 > 环境变量 > 配置文件)。
如果用户没有提供 access_id 和 access_key,需要引导用户提供后再执行查询。
方式一:configure 命令(推荐)
aliyunlog configure
示例:
aliyunlog configure LTAIxxxxxxxx xxxxxxxxx cn-hangzhou.log.aliyuncs.com
使用 HTTPS:
aliyunlog configure LTAIxxxxxxxx xxxxxxxxx https://cn-hangzhou.log.aliyuncs.com
配置文件位置:~/.aliyunlogcli,默认账号块名是 main。
方式二:命令行直接传参数
aliyunlog log get_log_all \
--access-id= \
--access-key= \
--region-endpoint= \
--project= \
--logstore= \
...
SDK 方法到 CLI 命令的映射规则
规则:aliyunlog log <子命令> 映射到 SDK LogClient 的方法名,参数一一对应。
示例:
client.create_logstore(project_name, logstore_name, ttl=2, shard_count=30)- →
aliyunlog log create_logstore --project_name=... --logstore_name=... --ttl=... --shard_count=...
日志查询(SQL 方式)
使用 --power_sql=true 启用增强 SQL 模式,通过 SQL 的 LIMIT 控制返回条数,避免数据量过大导致上下文爆满。
如果用户没有指定 project 和 logstore,先查阅 references/project_mapping.md 查找对应的值。
Command Template
aliyunlog log get_log_all \
--project="{{project}}" \
--logstore="{{logstore}}" \
--from_time="{{from_time}}" \
--to_time="{{to_time}}" \
--query=" | SELECT FROM log WHERE {{query}} LIMIT {{limit}}" \
--power_sql=true
Inputs
| 参数名 | 必填 | 说明 |
|---|---|---|
| project | ✅ | SLS 项目名 |
| logstore | ✅ | 日志库名 |
| from_time | ✅ | 开始时间(字符串如 "2026-03-18 10:00:00" 或时间戳) |
| to_time | ✅ | 结束时间 |
| query | ❌ | SQL WHERE 条件(默认 "1=1" 表示无过滤) |
| limit | ❌ | 最大返回条数(默认 10) |
Behavior
- query 转化为 SQL WHERE 条件
- 自动拼接
SELECT FROM log WHERELIMIT - 启用
--power_sql=true - 默认 limit=10,避免输出过大
重要:不要一次查全部日志,始终使用 LIMIT 限制返回条数。
Examples
1. 查询全部日志(限制 10 条)
aliyunlog log get_log_all \
--project="my-project" \
--logstore="app-log" \
--from_time="2026-03-18 10:00:00" \
--to_time="2026-03-18 11:00:00" \
--query="1=1" \
--limit=10 \
--power_sql=true
2. 查询错误日志
aliyunlog log get_log_all \
--project="my-project" \
--logstore="app-log" \
--from_time="2026-03-18 10:00:00" \
--to_time="2026-03-18 11:00:00" \
--query="log like '%ERROR%'" \
--limit=10 \
--power_sql=true
3. 字段过滤
aliyunlog log get_log_all \
--project="my-project" \
--logstore="app-log" \
--from_time="2026-03-18 10:00:00" \
--to_time="2026-03-18 11:00:00" \
--query="status = 500" \
--limit=10 \
--power_sql=true
4. URL 统计
aliyunlog log get_log_all \
--project="my-project" \
--logstore="app-log" \
--from_time="2026-03-18 10:00:00" \
--to_time="2026-03-18 11:00:00" \
--query=" | SELECT url, COUNT() AS cnt GROUP BY url ORDER BY cnt DESC LIMIT 10" \
--power_sql=true
输出格式
格式化 JSON 输出
aliyunlog log list_project --format-output=json,no_escape
设置默认格式
aliyunlog log configure --format-output=json,no_escape
默认输出
{
"logs": [...],
"count": 100,
"total": 1000
}
Error Handling
- CLI 执行失败 → 输出 stderr
- 无结果 →
{"logs": [], "count": 0}
Notes
SQL WHERE 条件语法:
- 全文搜索:
log like '%ERROR%' - 字段过滤:
status = 500、method = 'GET' - 组合条件:
log like '%ERROR%' AND status = 500
统计类查询(无 WHERE)直接写完整 SQL:
| SELECT url, COUNT(*) AS cnt GROUP BY url LIMIT 10
建议:
- 限制时间范围避免慢查询
- 默认 limit=10,避免输出过大
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制