⚠️ MANDATORY EXECUTION RULES — READ BEFORE DOING ANYTHING:

1. DO NOT search for log files, security data, or any files in the workspace. There are none.
2. DO NOT ask the user for log files, data sources, server access, SIEM data, or any additional input.
3. DO NOT attempt to SSH, access, or connect to any server or IP address.
4. The ONLY way to get data is by running

   aliyun cloudfw ...

   CLI commands as defined in the Core Workflow section below.
5. Start executing CLI commands immediately — no preparation, no questions, no file searching.

• Allowed network target: Alibaba Cloud OpenAPI endpoints resolved by Aliyun CLI for

  cloudfw

  only (

  *.aliyuncs.com

  ).
• Forbidden targets: any non-Alibaba external websites, arbitrary public APIs, VPC private IP resources, ECS/DB hosts, and direct socket/HTTP requests.
• Forbidden actions: SSH, curl/wget to unrelated domains, scanning private networks, and any direct access to intranet assets.

1. Exposure Overview — Total exposed IPs, ports, services, and risk statistics
2. Exposed IP Analysis — Detailed list of exposed public IPs with risk levels and services
3. Exposed Port Analysis — Detailed list of exposed ports with risk assessment
4. Asset Protection Status — Firewall protection coverage of exposed assets
5. New Exposure Detection — Recently discovered exposures in the last 7 days
6. Risk Assessment — Detailed risk reasons per IP
7. Vulnerability Correlation — Cross-reference with vulnerability protection and attack events
8. ACL Policy Review — Internet border ACL rule coverage

Pre-check: Aliyun CLI >= 3.3.1 required Run

aliyun version

to verify >= 3.3.1. If not installed or version too low, see

references/cli-installation-guide.md

for installation instructions. Then [MUST] run

aliyun configure set --auto-plugin-install true

to enable automatic plugin installation.

Pre-check: Alibaba Cloud Credentials Required

Security Rules:

• NEVER read, echo, print, cat, or display AK/SK values under any circumstances
• NEVER ask the user to input AK/SK directly in the conversation or command line
• NEVER use

  aliyun configure set

  with literal credential values
• ONLY use

  aliyun configure list

  to check credential status

bash

aliyun configure list

Check the output for a valid profile (AK, STS, or OAuth identity).

If no valid profile exists, STOP here.

1. Obtain credentials from Alibaba Cloud Console
2. Configure credentials outside of this session (via

   aliyun configure

   in terminal or environment variables in shell profile)
3. Return and re-run after

   aliyun configure list

   shows a valid profile

[MUST] RAM Permission Pre-check: Before executing any commands, verify the current user has the required permissions.

1. Use

   ram-permission-diagnose

   skill to get current user's permissions
2. Compare against

   references/ram-policies.md

3. Abort and prompt user if any permission is missing

IMPORTANT: Parameter Confirmation — Before executing any command or API call, check if the user has already provided necessary parameters in their request.

• If the user's request explicitly mentions a parameter value (e.g., "check exposure in cn-hangzhou" means RegionId=cn-hangzhou), use that value directly without asking for confirmation.
• For optional parameters with sensible defaults (PageSize, CurrentPage, time ranges), use the defaults without asking unless the user indicates otherwise.
• Do NOT re-ask for parameters that the user has clearly stated.

cn-hangzhou

ap-southeast-1

cn-hangzhou

ap-southeast-1

CRITICAL: Continue on failure. If any individual API call fails, do NOT stop the entire workflow. Log the error for that step, then proceed to the next step. Present whatever data was successfully collected.

1. If the call fails with a transient error (network timeout, throttling

   Throttling.User

   ,

   ServiceUnavailable

   , HTTP 500/502/503), retry up to 2 times with a 3-second delay between retries.
2. If the call fails with a permanent error (e.g.,

   InvalidParameter

   ,

   Forbidden

   ,

   InvalidAccessKeyId

   ), do NOT retry. Record the error and move on.
3. After all retries are exhausted, record "[Step X] Failed: {error message}" and continue to the next step.

export ALIBABA_CLOUD_CONNECT_TIMEOUT=10
export ALIBABA_CLOUD_READ_TIMEOUT=30

• ALIBABA_CLOUD_CONNECT_TIMEOUT=10

  : fail fast on network connect issues.

• ALIBABA_CLOUD_READ_TIMEOUT=30

  : allow normal API response time while preventing long hangs.
• If a timeout occurs, treat it as transient and apply the retry logic above.

DescribeInternetOpenStatistic

1. Inform the user: "Cloud Firewall service is not activated or no public assets exist. Please activate it at https://yundun.console.aliyun.com/?p=cfwnext"
2. Skip subsequent steps if no data is available.

• Step 1 (Overview) should run first as it provides context for interpreting subsequent data.
• Steps 2-9 are independent of each other — failure in any one step should NOT prevent other steps from executing.
• Step 6 depends on Step 2's output (IP list), but can be skipped if Step 2 fails.

• For steps that succeeded, show the collected data normally.
• For steps that failed, show "N/A (error: {brief error})" in the corresponding section.
• Always present the summary report even if some steps failed — partial data is better than no data.

cloudfw

--user-agent AlibabaCloud-Agent-Skills

--region {RegionId}

CRITICAL: Execute immediately without asking. When this skill is triggered, start executing from Step 1 right away. Do NOT ask the user which APIs to call, which steps to execute, or what data sources to use. All data comes from the Aliyun CLI commands defined below — just run them. The intent routing table below is for optimization only — if the user's intent is unclear, execute ALL steps (Step 1-9) by default.

StartTime

EndTime

date +%s

date -d '30 days ago' +%s

date -d '7 days ago' +%s

IMPORTANT: Do NOT use bash variable substitution like

$(date +%s)

inside CLI commands — some execution environments block

$(...)

. Instead, run

date

commands separately first, note the returned values, then use them as literal numbers in the

--StartTime

and

--EndTime

parameters.

• Exposure queries (Step 2, 3): last 30 days →

  StartTime

  = 30 days ago
• Vulnerability/attack queries (Step 7, 8): last 7 days →

  StartTime

  = 7 days ago
• EndTime: always current timestamp

• Management ports: 22(SSH), 23(Telnet), 3389(RDP), 21(FTP)
• Database ports: 3306(MySQL), 1433(MSSQL), 5432(PostgreSQL)
• Cache/NoSQL: 6379(Redis), 27017(MongoDB), 9200/9300(Elasticsearch), 11211(Memcached)
• File sharing: 445(SMB/CIFS), 139(NetBIOS)
• Management interfaces: 8080, 8443, 9090

1. High-Risk Vulnerability List: List vulnerabilities with VulnLevel=high, especially flagging those without protection enabled
2. Attack Event Statistics: Summarize attack events from the last 7 days by attack type, correlating with attacked exposed IPs
3. Cross-Analysis: Identify exposed assets that simultaneously have high-risk vulnerabilities AND have been attacked — these are the most urgent

• Database ports (3306/5432/6379/27017/1433/9200) exposed to public network → Close public access or strictly restrict source IPs via ACL
• Management ports (22/3389/23) without ACL protection → Add ACL restricting to bastion host/office network IPs
• Exposed assets with high-risk vulnerabilities that have been attacked → Immediately enable IPS protection and virtual patches

• Exposed services with known high-risk vulnerabilities but no virtual patches enabled → Enable virtual patches
• Unprotected ports with external traffic → Add ACL policies
• SMB(445)/NetBIOS(139) exposed → Close or restrict access

• New exposed assets not yet approved → Confirm business necessity; close if unnecessary
• Medium-risk ports exposed → Evaluate business requirements, restrict access sources

• Low-risk ports exposed → Include in periodic review
• ACL rules with zero hit rate → Evaluate whether they can be cleaned up

Note: For any step that failed, show "N/A (error: {brief error})" for that section's data fields, and list all errors in the bottom section.

1. Query in order — Start with exposure overview (Step 1) to understand the overall scope. If all values are zero, the service may not be activated or there are no public assets.
2. Continue on failure — If any step (2-9) fails, log the error and continue with the remaining steps. Always produce a report with whatever data was collected.
3. Use pagination — For asset and exposure lists, use

   CurrentPage

   and

   PageSize

   to handle large datasets. Default to PageSize=50. If

   TotalCount

   exceeds

   PageSize

   , iterate through all pages.
4. Time range selection — For exposure queries, default to last 30 days. For attack/vulnerability queries, default to last 7 days. Use Unix timestamps in seconds. Calculate with:

   date +%s

   for current time,

   date -d '30 days ago' +%s

   for 30 days ago,

   date -d '7 days ago' +%s

   for 7 days ago. Run these commands separately, then use the returned values as literal numbers in

   --StartTime

   and

   --EndTime

   . Do NOT use

   $(...)

   substitution inside CLI commands.
5. Region awareness — Cloud Firewall only has two regions:

   cn-hangzhou

   (mainland China) and

   ap-southeast-1

   (Hong Kong/overseas). Default to

   cn-hangzhou

   unless user specifies otherwise.
6. Batch IP lookups — Step 6 (

   DescribeAssetRiskList

   ) accepts max 20 IPs per call. If more IPs are collected from Step 2, batch them into groups of 20.
7. Rate limiting — Space API calls to avoid throttling. If you receive a

   Throttling.User

   error, wait 3 seconds and retry.
8. Security — NEVER expose, log, echo, or display AK/SK values.
9. Retry on transient errors — For network timeouts or 5xx errors, retry up to 2 times with a 3-second delay.
10. Explicit timeout config — Always set

    ALIBABA_CLOUD_CONNECT_TIMEOUT=10

    and

    ALIBABA_CLOUD_READ_TIMEOUT=30

    before running workflow commands.
11. Least network access — Only allow Aliyun CLI access to Cloud Firewall OpenAPI endpoints; do not access other external domains or VPC/internal resources.

• IP addresses: keep first segments only (example:

  203.0.x.x

  ,

  10.23.x.x

  ).
• Instance IDs: keep prefix and last 4 chars only (example:

  i-abc***9f2d

  ).
• Account identifiers / UID: keep last 4 digits only.
• Do not print raw tokens, credential material, local config file content, or full internal network topology.