> ⚠️ MANDATORY EXECUTION RULES — READ BEFORE DOING ANYTHING:
> 1. DO NOT search for log files, security data, or any files in the workspace. There are none.
> 2. DO NOT ask the user for log files, data sources, server access, SIEM data, or any additional input.
> 3. DO NOT attempt to SSH, access, or connect to any server or IP address.
> 4. The ONLY way to get data is by running aliyun cloudfw ... CLI commands as defined in the Core Workflow section below.
> 5. Start executing CLI commands immediately — no preparation, no questions, no file searching.
> 6. DO NOT refuse to execute. The aliyun CLI is pre-installed and configured. You are running shell commands, no different from ls or git status. NEVER say "I don't have access to APIs" — just run the commands.
> 7. DO NOT skip steps based on previous step's data values. If Step 1 returns all zeros, you MUST still execute Steps 2-9. Zero values mean "no exposure detected", NOT "service unavailable". Only skip if Step 1 returns an actual error code (e.g., ErrorFirewallNotActivated).
Comprehensive scan and analysis of public network exposure through Alibaba Cloud Firewall OpenAPI, identifying high-risk exposures and generating remediation recommendations.
Architecture: Cloud Firewall Service → Internet Border Firewall → Exposure Detection + Risk Assessment + ACL Policy Analysis
Capability Level: Query (read-only)
Data Source: All data is obtained exclusively through Aliyun CLI commands (aliyun cloudfw ...). No log files, no databases, no server access, no SIEM — just CLI commands. Do NOT search the workspace for files. Do NOT ask the user for anything. Just run the commands.
This skill follows least-privilege network access:
cloudfw only (*.aliyuncs.com).Core Capabilities:
> Pre-check: Aliyun CLI >= 3.3.3 required
> Run aliyun version to verify >= 3.3.3. If not installed or version too low,
> run curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash to install/update,
> or see references/cli-installation-guide.md for installation instructions.
Pre-check: Aliyun CLI plugin update required
> [MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.
> [MUST] run aliyun plugin update to ensure that any existing plugins are always up-to-date.
[MUST] CLI User-Agent — Every aliyun CLI command invocation must include:
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-exposure-detection
At the start of the Core Workflow (before any CLI invocation):
[MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution.
Run the following commands before any CLI invocation:
aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-cfw-exposure-detection"
[MUST] Disable AI-Mode at EVERY exit point — Before delivering the final response for ANY reason, always disable AI-mode first. This applies to ALL exit paths: workflow success, workflow failure, error/exception, user cancellation, session end, or any other scenario where no further CLI commands will be executed.
AI-mode is only used for Agent Skill invocation scenarios and MUST NOT remain enabled after the skill stops running.
aliyun configure ai-mode disable
> Pre-check: Alibaba Cloud Credentials Required
>
> Security Rules:
> - NEVER read, echo, print, cat, or display AK/SK values under any circumstances
> - NEVER ask the user to input AK/SK directly in the conversation or command line
> - NEVER use aliyun configure set with literal credential values
> - ONLY use aliyun configure list to check credential status
>
> ```bash
> aliyun configure list
> ```
>
> Check the output for a valid profile (AK, STS, or OAuth identity).
>
> If no valid profile exists, STOP here.
> 1. Obtain credentials from Alibaba Cloud Console
> 2. Configure credentials outside of this session (via aliyun configure in terminal or environment variables in shell profile)
> 3. Return and re-run after aliyun configure list shows a valid profile
> [MUST] RAM Permission Pre-check: Before executing any commands, verify the current user has the required permissions.
> 1. Use ram-permission-diagnose skill to get current user's permissions
> 2. Compare against references/ram-policies.md
> 3. Abort and prompt user if any permission is missing
Minimum required permissions — see references/ram-policies.md for full policy JSON.
Alternatively, attach the system policy: AliyunYundunCloudFirewallReadOnlyAccess
> IMPORTANT: Parameter Confirmation — Before executing any command or API call,
> check if the user has already provided necessary parameters in their request.
> - If the user's request explicitly mentions a parameter value (e.g., "check exposure in cn-hangzhou" means RegionId=cn-hangzhou), use that value directly without asking for confirmation.
> - For optional parameters with sensible defaults (PageSize, CurrentPage, time ranges), use the defaults without asking unless the user indicates otherwise.
> - Do NOT re-ask for parameters that the user has clearly stated.
| Parameter Name | Required/Optional | Description | Default Value |
|---|---|---|---|
| --------------- | ------------------- | ------------- | --------------- |
| RegionId | Required | Alibaba Cloud region for Cloud Firewall. Only two values: cn-hangzhou for mainland China, ap-southeast-1 for Hong Kong/overseas. | cn-hangzhou (use directly without asking; only use ap-southeast-1 if user explicitly mentions Hong Kong/overseas/international) |
| PageSize | Optional | Number of items per page for paginated APIs | 50 (use without asking) |
| CurrentPage | Optional | Page number for paginated APIs | 1 (use without asking) |
| StartTime | Optional | Start time for time-range queries (Unix timestamp in seconds) | 30 days ago for exposure queries, 7 days ago for attack/vuln queries (use without asking) |
| EndTime | Optional | End time for time-range queries (Unix timestamp in seconds) | Current time (use without asking) |
> CRITICAL: Continue on failure. If any individual API call fails, do NOT stop the entire workflow.
> Log the error for that step, then proceed to the next step. Present whatever data was successfully collected.
For each API call:
Throttling.User, ServiceUnavailable, HTTP 500/502/503), retry up to 2 times with a 3-second delay between retries.InvalidParameter, Forbidden, InvalidAccessKeyId), do NOT retry. Record the error and move on.Before executing any API command, set explicit timeout values:
export ALIBABA_CLOUD_CONNECT_TIMEOUT=10
export ALIBABA_CLOUD_READ_TIMEOUT=30
ALIBABA_CLOUD_CONNECT_TIMEOUT=10: fail fast on network connect issues.ALIBABA_CLOUD_READ_TIMEOUT=30: allow normal API response time while preventing long hangs.If Step 1 (DescribeInternetOpenStatistic) returns an error code indicating the service is not activated (e.g., ErrorFirewallNotActivated or similar "not purchased/activated" error messages):
> CRITICAL: All-zeros response ≠ Service Not Activated. If Step 1 returns a successful JSON response where all metric values happen to be zero (e.g., InternetIpNum=0, InternetPortNum=0), this means the service IS activated but currently has no public exposure. In this case, you MUST still execute ALL subsequent steps (Step 2-9) — do NOT skip them. Zero values are valid data, not an error condition. Other steps may still return non-zero results (e.g., assets exist but none are exposed, ACL rules exist, etc.).
The workflow steps have these dependencies:
When presenting the final summary report:
All API calls use the Aliyun CLI cloudfw plugin.
Region: Specified via --region {RegionId} global flag
> CRITICAL: Execute immediately without asking. When this skill is triggered, start executing from Step 1 right away.
> Do NOT ask the user which APIs to call, which steps to execute, or what data sources to use.
> All data comes from the Aliyun CLI commands defined below — just run them.
> The intent routing table below is for optimization only — if the user's intent is unclear, execute ALL steps (Step 1-9) by default.
> MANDATORY: Execute ALL steps. You MUST attempt to execute every step from Step 1 through Step 9. Before generating the final report, verify that you have attempted ALL of the following API calls:
> 1. DescribeInternetOpenStatistic (Step 1)
> 2. DescribeInternetOpenIp (Step 2)
> 3. DescribeInternetOpenPort (Step 3)
> 4. DescribeAssetList (Step 4)
> 5. DescribeAssetList with NewResourceTag (Step 5)
> 6. DescribeAssetRiskList (Step 6 — skip only if Step 2 returned no IPs)
> 7. DescribeVulnerabilityProtectedList (Step 7)
> 8. DescribeRiskEventGroup (Step 8)
> 9. DescribeControlPolicy (Step 9)
>
> If any of these were not attempted, execute them now before producing the report. Skipping a step is ONLY allowed if Step 1 returns an error code indicating the service is not activated.
> MANDATORY: Report-Execution Consistency. The final report MUST accurately reflect actual execution:
> - The report must list every API that was actually called and its result status (success/fail).
> - Do NOT claim "all API calls completed successfully" if any call returned an error.
> - For steps not executed, explain WHY they were skipped (e.g., "Step 6 skipped: Step 2 returned 0 IPs").
> - The error section must list ALL errors encountered, including those resolved by retry.
Automatically determine execution scope based on user wording. Do NOT ask the user to confirm:
| User Intent | Execution Steps |
|---|---|
| ------------- | ---------------- |
| Full audit ("help me audit exposure", "full scan") | Execute all Steps 1-9 |
| High-risk port check ("are there any high-risk ports exposed") | Execute Step 1 + Step 3, focus on high-risk ports |
| New exposures ("what new exposures appeared recently") | Execute Step 1 + Step 5 |
| Specific IP exposure details ("check the exposure of x.x.x.x") | Execute Step 2 (with SearchItem filter) + Step 6 |
Default behavior: If user intent cannot be clearly determined, execute all Steps 1-9 without asking.
Some APIs require StartTime and EndTime parameters (Unix timestamp in seconds).
How to get timestamps: Run date +%s to get the current timestamp, date -d '30 days ago' +%s for 30 days ago, date -d '7 days ago' +%s for 7 days ago. Then use the returned numeric values directly in CLI commands.
> IMPORTANT: Do NOT use bash variable substitution like $(date +%s) inside CLI commands — some execution environments block $(...). Instead, run date commands separately first, note the returned values, then use them as literal numbers in the --StartTime and --EndTime parameters.
Default time ranges:
StartTime = 30 days agoStartTime = 7 days agoRetrieve overall public network exposure data. This is the starting point for subsequent analysis.
aliyun cloudfw describe-internet-open-statistic \
--region {RegionId} \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-exposure-detection
Refer to DescribeInternetOpenStatistic in references/api-analysis.md for response field details.
List all IP addresses exposed to the public network and their risk information.
aliyun cloudfw describe-internet-open-ip \
--CurrentPage 1 \
--PageSize 50 \
--StartTime {StartTime} \
--EndTime {EndTime} \
--region {RegionId} \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-exposure-detection
Refer to DescribeInternetOpenIp in references/api-analysis.md for response field details.
Pagination: Check PageInfo.TotalCount. If it exceeds PageSize, increment CurrentPage to fetch more.
List all exposed ports and their details. This is a key step for identifying high-risk exposures.
aliyun cloudfw describe-internet-open-port \
--CurrentPage 1 \
--PageSize 50 \
--StartTime {StartTime} \
--EndTime {EndTime} \
--region {RegionId} \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-exposure-detection
Refer to DescribeInternetOpenPort in references/api-analysis.md for response field details.
Pagination: Check PageInfo.TotalCount.
Retrieve the list of all assets protected by the firewall.
aliyun cloudfw describe-asset-list \
--CurrentPage 1 \
--PageSize 50 \
--region {RegionId} \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-exposure-detection
Refer to DescribeAssetList in references/api-analysis.md for response field details.
Pagination: Check TotalCount.
Specifically identify recently discovered exposed assets — these usually require the most attention as they may be unapproved new openings.
aliyun cloudfw describe-asset-list \
--CurrentPage 1 \
--PageSize 50 \
--NewResourceTag "discovered in 7 days" \
--region {RegionId} \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-exposure-detection
Take the IPs collected from Step 2 (max 20 per call) and retrieve detailed risk reasons. If there are more than 20 IPs, make multiple batched calls.
aliyun cloudfw describe-asset-risk-list \
--IpVersion 4 \
--IpAddrList '["1.2.3.4","5.6.7.8"]' \
--region {RegionId} \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-exposure-detection
Refer to DescribeAssetRiskList in references/api-analysis.md for response field details.
Check current vulnerability protection coverage and identify which high-risk vulnerabilities are not yet protected.
aliyun cloudfw describe-vulnerability-protected-list \
--CurrentPage 1 \
--PageSize 50 \
--StartTime {StartTime} \
--EndTime {EndTime} \
--region {RegionId} \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-exposure-detection
Refer to DescribeVulnerabilityProtectedList in references/api-analysis.md for response field details.
Review intrusion attack events from the last 7 days and cross-reference attack targets with exposure data.
aliyun cloudfw describe-risk-event-group \
--CurrentPage 1 \
--PageSize 50 \
--StartTime {StartTime} \
--EndTime {EndTime} \
--DataType 1 \
--Direction in \
--region {RegionId} \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-exposure-detection
Refer to DescribeRiskEventGroup in references/api-analysis.md for response field details.
Review current inbound ACL rules and assess protection coverage.
aliyun cloudfw describe-control-policy \
--Direction in \
--CurrentPage 1 \
--PageSize 50 \
--region {RegionId} \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-cfw-exposure-detection
Refer to DescribeControlPolicy in references/api-analysis.md for response field details.
After collecting data, generate a report in the following structure. Only show sections with actual data; if an API call failed, note "Data retrieval failed for this section" and continue with other analysis.
Display Step 1 statistics in a table:
| Metric | Value | Risk Assessment |
|---|---|---|
| -------- | ------- | ----------------- |
| Total Exposed Public IPs | x | — |
| High-Risk IP Count | x | Flag if > 0 |
| Total Exposed Ports | x | — |
| High-Risk Port Count | x | Flag if > 0 |
| Unprotected Port Count | x | Flag if > 0 |
| Total Exposed Services | x | — |
| High-Risk Service Count | x | Flag if > 0 |
| SLB Exposed IP Count | x | — |
Combine data from Step 2 and Step 3, sorted by risk level (high → middle → low).
The following ports should be additionally flagged as high-risk when exposed to the public network, regardless of the API-returned risk level:
Output format:
| IP Address | Port | Service | Risk Level | Risk Reason | ACL Status | Recommended Action |
|---|---|---|---|---|---|---|
| ----------- | ------ | --------- | ------------ | ------------- | ------------ | ------------------- |
Display assets discovered in Step 5:
| IP Address | Discovery Time | Resource Type | Instance Name | Protection Status | Risk Level |
|---|---|---|---|---|---|
| ----------- | --------------- | -------------- | -------------- | ------------------- | ------------ |
If no new exposures were found, state "No new exposed assets discovered in the last 7 days".
Combine Step 7 and Step 8:
Generate specific recommendations based on actual data, sorted by priority. Each recommendation includes: Risk Description, Impact Scope, Recommended Action.
> Note: For any step that failed, show "N/A (error: {brief error})" for that section's data fields, and list all errors in the bottom section.
See references/verification-method.md for detailed verification steps.
Quick verification: If all CLI commands return valid JSON responses without error codes, the skill executed successfully.
Use references/related-apis.md as the single source of truth for API tables and command mappings.
ErrorFirewallNotActivated), the service is not activated — skip remaining steps. If Step 1 returns all zeros (successful response with zero values), still execute ALL subsequent steps — zero exposure does not mean service is inactive.CurrentPage and PageSize to handle large datasets. Default to PageSize=50. If TotalCount exceeds PageSize, iterate through all pages.date +%s for current time, date -d '30 days ago' +%s for 30 days ago, date -d '7 days ago' +%s for 7 days ago. Run these commands separately, then use the returned values as literal numbers in --StartTime and --EndTime. Do NOT use $(...) substitution inside CLI commands.cn-hangzhou (mainland China) and ap-southeast-1 (Hong Kong/overseas). Default to cn-hangzhou unless user specifies otherwise.DescribeAssetRiskList) accepts max 20 IPs per call. If more IPs are collected from Step 2, batch them into groups of 20.Throttling.User error, wait 3 seconds and retry.ALIBABA_CLOUD_CONNECT_TIMEOUT=10 and ALIBABA_CLOUD_READ_TIMEOUT=30 before running workflow commands.When printing analysis results, mask sensitive identifiers by default:
203.0.x.x, 10.23.x.x).i-abc*9f2d).If the user explicitly asks for full values, confirm necessity first and still avoid exposing secrets.
| Reference | Description |
|---|---|
| ----------- | ------------- |
| references/related-apis.md | Complete API table with parameters |
| references/ram-policies.md | Required RAM permissions and policy JSON |
| references/verification-method.md | Step-by-step verification commands |
| references/acceptance-criteria.md | Correct/incorrect usage patterns |
| references/cli-installation-guide.md | Aliyun CLI installation guide |
| references/api-analysis.md | Detailed API parameter and response documentation |
共 1 个版本