Alibaba Cloud OSS Media Processing
Process images, audio, and video files stored in Alibaba Cloud OSS using native OSS media processing capabilities. Synchronous processing returns immediate results via
; asynchronous processing handles long-running jobs via
with polling.
Default language: 默认中文回复。Only use English when the user explicitly writes in English.
Quick Start
Working directory
All script commands run from the skill package root. Use full absolute paths to invoke scripts:
bash
python /path/to/skill/scripts/process.py ...
Do not
into the directory and use relative paths. If a script fails with "No such file or directory", use Glob to find
**/alibabacloud-oss-media-process/scripts/process.py
and use its full path.
Setup workspace output directory (run once per session):
bash
WORKSPACE_OUTPUT=$(pwd)/outputs && mkdir -p "$WORKSPACE_OUTPUT"
All
arguments MUST use
$WORKSPACE_OUTPUT/<filename>
— files saved inside the skill directory will NOT be renderable.
Credentials (Aliyun CLI)
This skill uses Aliyun CLI for credential management. Python scripts auto-discover credentials via the
default chain (supporting
, environment variables, ECS instance roles, etc.).
Security rules:
- Never read, echo, print, , or dump , credential files, or any raw command output that contains , , , , , or values.
- Never ask the user to input AK/SK directly in the conversation or command line
- Guide users to use to set up credentials securely
- Never write , , or into any temporary Python/Shell script, here-doc, env export, or intermediate file. All credentials must be discovered through Aliyun CLI or the SDK default credential chain.
- For credential diagnostics, use ,
python scripts/load_env.py
- Treat full presigned URLs as sensitive whenever they contain signing parameters such as , , , , , , , or . Do not print these full URLs into the conversation transcript, command echo, markdown summary, or ordinary log files.
- When a signed URL is needed for user consumption, distinguish between delivery and display: it is acceptable to generate a usable signed URL, but unless the runtime provides a secure private-output channel that does not enter the transcript or logs, only display a redacted URL or an OSS path in normal user-facing text.
Prerequisites
| Step | Action | Command |
|---|
| 1 | Install Aliyun CLI (>=3.3.3) | `curl -fsSL https://aliyuncli.alicdn.com/setup.sh |
| 2 | Configure credentials | |
| 3 | Run blocking preflight check 1 | python scripts/load_env.py
|
| 4 | Run blocking preflight check 2 | |
| 5 | Enable plugins | aliyun configure set --auto-plugin-install true && aliyun plugin update
|
| 6 | Install Python deps | pip install -r scripts/requirements.txt
|
| 7 | Set bucket/region (choose one) | export ALIBABA_CLOUD_OSS_BUCKET=<b> ALIBABA_CLOUD_OSS_REGION=<r>
--bucket <b> --region <r>
|
Blocking preflight policy:
python scripts/load_env.py
- must show a usable configured CLI profile.
- Treat preflight results as stale after any environment or runtime change. If you install Python packages, run , change env vars, edit shell profiles, switch users, or otherwise modify credential/runtime state, you must rerun both
python scripts/load_env.py
python scripts/process.py ...
- If either command fails these checks, stop immediately.
- Do not run
python scripts/process.py ...
- Do not retry media processing.
- Do not simulate a successful result.
- Return only configuration guidance until both checks pass.
AI-Mode
Enable at session start:
bash
aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-oss-media-process"
Disable on every exit: success, failure, error, cancellation, or session end:
bash
aliyun configure ai-mode disable
Preflight then Execute
When the user requests a media operation (resize, detect faces, watermark, etc.), apply the blocking preflight policy above before running any
python scripts/process.py ...
command.
also performs a runtime dependency preflight and exits with
pip install -r scripts/requirements.txt
guidance if required SDKs are missing. If you change the environment after a failed attempt (for example by installing dependencies, editing env vars, or re-running
), do not assume the earlier preflight still holds — rerun the full blocking preflight first.
First-time setup
Direct users to run
to set up credentials, then verify with:
Python scripts use the
SDK to auto-discover credentials from the Aliyun CLI config. Bucket and region are read from the
/
environment variables, or from
/
CLI flags.
scans shell config files (
,
) for these exports and loads them into
.
Recommended Workflow
Follow this numbered workflow for every request:
-
Prepare
Confirm the bucket and region are available through
/
or the
/
environment variables. Apply the blocking preflight policy before any media command. Create
once per session for all local downloads.
-
Choose the source
Use
for an existing OSS object key. Use
for a local file path or HTTP(S) URL that should be uploaded temporarily before processing.
-
Decide the execution path
Use
python scripts/process.py
for all media processing and file operations. If the request involves video, audio, HLS, or image-intelligent features, run
python scripts/imm_admin.py auto-setup --bucket <b> --region <r>
first to ensure IMM bucket binding exists.
-
Execute
Build exactly one valid operation chain. Prefer
--output-mode download --output-path $WORKSPACE_OUTPUT/<name>
for sync image outputs,
--output-mode save --target-key <key>
for async media outputs, and
when the result is meant to be consumed remotely.
-
Verify
Read the returned JSON. Check
,
,
(async only),
, local
, and any
. If the command downloaded a local file, present the absolute path to the user.
Only report a local output path after the file was actually written to
and the returned absolute path matches the real downloaded file. Do not claim that a file was saved to
or any other local path unless it truly exists there.
If you need to record
,
,
,
, or similar fields in logs, notes, or output files, extract them directly from the
JSON response. Do not transcribe, rewrite, or manually retype these values.
If the user or eval explicitly requires verification of any machine-verifiable output property (for example codec, bitrate, sample rate, channel count, duration, resolution, frame rate, width, height, or format), prefer running one additional read-only verification step against a persisted OSS output object before finalizing the summary. Use
or
for audio/video outputs, and use a separate
command for image outputs. Do not download the file locally just for this purpose.
For image width, height, format, and file-size verification, treat OSS-side
on the saved target object as the default and preferred verification path.
is a standalone read-only image metadata operation, not a follow-up segment that should be appended to a basic image processing chain. Do not switch to local image-library inspection when
can answer the question.
If a read-only verification step was performed and its result differs from the requested value, report the actual verified output value. Do not substitute the request value, and do not claim the request was fully satisfied when the verification result shows otherwise.
If no read-only verification step was performed, do not describe machine-verifiable output properties as independently confirmed.
Do not assume local verification tools such as
/
,
, or similar utilities are installed. If a tool is unavailable, do not claim that you performed the corresponding local pixel-level or media-property verification.
For image-property verification in particular, do not introduce ad hoc local-library checks such as
/
unless the workflow explicitly requires a local-file-only inspection and OSS-side
cannot provide the property. In normal skill usage and evals, prefer OSS-side verification and avoid emitting local
/
commands entirely.
If the workflow returns only a signed URL and does not persist a reusable OSS target object, do not claim that you performed a follow-up
check on the final output object unless such an object actually exists. In that case, either save the result to OSS first and verify the saved object, or state that only the immediate processing result was available and no persisted-object verification was performed.
Before sending the final user-facing summary, follow the
in
.
-
Recover
If the command fails, use the
table below. Retry only after correcting the concrete cause, such as missing IMM binding, bad parameters, or insufficient RAM permissions.
Quick Decision Guide
All processing goes through
Image, video, and audio operations MUST be executed via
python scripts/process.py --operations "..."
. The agent must not write its own SDK or CLI calls to bypass
or
for video/audio/image processing. Underlying SDK or API requests triggered internally by these scripts (including IMM requests such as
) are expected implementation behavior and do not count as direct agent-side SDK usage. The only intentional script-level IMM entry points are
for project setup and
for async watermark extraction.
Never create your own Python scripts or wrappers to bypass
. When
doesn't support a feature, check SKILL.md and
documentation, use
to preview, and report to the user if it truly cannot be done.
IMM setup (before IMM-dependent ops)
Before running video, audio, HLS, or image-intelligent operations, first run
to ensure the bucket is bound to an IMM project. Pass
--imm-project <project_name>
only for
, or if you intentionally want to override the optional
ALIBABA_CLOUD_IMM_PROJECT
fallback used by that operation.
Source selection
- OSS object →
- Local file or URL → (auto-uploads, processes, cleans up)
Sync vs Async (auto-detected)
- Sync (): image ops, , , , , AI detection
- Async (): , , , , , , ,
The script auto-detects async-only operations and handles routing/polling automatically — no
or
flags needed.
Output rules
| Operation type | Output mode | Command pattern |
|---|
| Sync (image) | | --output-mode download --output-path $WORKSPACE_OUTPUT/<file>
|
| Async (video/audio) | then | 1. --output-mode save --target-key output/<file>
--operations download --output-path $WORKSPACE_OUTPUT/<file>
|
| with auto-download | --output-mode save --target-key output/frames/frame --output-path $WORKSPACE_OUTPUT/
|
| | — returns signed URL for browser/player (not a downloadable file) |
All
MUST use
$WORKSPACE_OUTPUT/<filename>
— files saved inside the skill directory will NOT be renderable.
No-local-download rule: if the user explicitly says not to download locally, only to save in OSS, or only to return a link/URL, do not pass
and do not perform any follow-up download for verification. Use
for sync results meant to be consumed remotely, and use
--output-mode save --target-key ...
for async media results that should remain in OSS. Never download to
,
, or any local path just to verify success; rely on the
JSON response instead.
Ambiguous save wording rule: if the user says "保存", "保存下来", "存起来", or similar wording but does not explicitly say "下载到本地", "本地查看", "给我本地文件", or another clear local-destination phrase, default to saving the result back to OSS with
--output-mode save --target-key ...
. Only use
--output-mode download --output-path ...
when the user explicitly asks for a local file. If the user only wants to inspect the result and does not require a persisted local copy, prefer
for sync outputs and
plus the OSS path for async outputs.
Signed-URL delivery rule: the purpose of
is to make a remote result accessible, not to force the full signed query string into the transcript. In ordinary text responses, prefer an OSS path or a redacted URL. Only provide a full presigned URL when the runtime offers a secure private-output channel that keeps the raw URL out of transcript/log surfaces. If no such channel exists, explain the limitation briefly and avoid printing the full signed query parameters. A redacted URL should keep the path and any non-sensitive query parameters, while replacing sensitive signing values with
, for example:
https://bucket.oss-cn-hangzhou.aliyuncs.com/output/result.webp?OSSAccessKeyId=***&x-oss-credential=***&Signature=***&security-token=***&Expires=1700000000
.
Unique suffix rule: when you need a unique OSS target key suffix for evals, retries, or parallel runs, prefer Python-generated UUIDs or a timestamp-plus-random suffix. Do not rely on
being available. If you must generate a suffix from shell commands, first verify the command exists; otherwise fall back to a timestamp plus random digits. Safe shell example:
SUFFIX=$(python3 -c "import uuid; print(uuid.uuid4().hex[:8])" 2>/dev/null || date +%Y%m%d_%H%M%S_$RANDOM)
.
Chaining rules
See the dedicated
section below for full chaining guidelines.
Core Parameter Rules
- Only pass parameters the user specifies — do not invent defaults. OSS uses official defaults for unspecified parameters (e.g., keep original width/height, original bitrate, original framerate).
- Recipes are examples, not defaults — parameter values in recipe tables (e.g., , ) are for specific scenarios and should NOT be used as defaults.
- video/convert — remux vs re-encode: omitting means OSS only does remux (stream copy without re-encoding). Parameters like , , , , are silently ignored in remux mode. Always specify (default ) when the user says "transcode", "compress", or "slim". Only omit for pure remux (e.g., AVI→MP4 container switch) or audio extraction.
- video/concat — when input params differ: if input videos have different resolution, framerate, or codec, you must ask the user which video to align to (option A: first video, B: second video, C: custom params). Never auto-decide.
- video/concat — validation scope: always performs input compatibility checks before submitting the async task. Additional local output validation only runs when the command also downloads the result via . If you use without a local download path, there is no post-download media validation step.
- Snapshots vs snapshot: use (async) for multi-frame extraction. Never use multiple calls as a workaround. target-key must NOT have a file extension.
- For full parameter specifications, see the corresponding reference files in .
Result Presentation
After every successful
execution, present results in this format:
Language rule: unless the user explicitly requested English, the final user-facing result summary in this section must be written in Chinese.
Use a result template that matches the response language. For Chinese responses, use a Chinese lead-in such as
and Chinese field labels such as
/
/
/
/
/
/
/
. For English responses, use
and the corresponding English labels
/
/
/
/
/
/
/
.
1. File path: output the local absolute path in a code block (e.g.,
/path/to/outputs/snapshot.jpg
). Never use
or Read tool to display files.
Only include this section when the file was actually downloaded or written locally. Do not present an
path that was only planned, inferred, or mentioned in a transcript.
2. Result table:
| Item | Detail |
|---|
| Status | ✅ Completed |
| RequestID | (or ) |
| Task ID | (async only) |
| Source | |
| Output | |
| Params | Dynamic — from your command (e.g., MP4/H.264/2Mbps, or 800x600/JPEG) |
| File Size | From download output |
| OSS Path | oss://<bucket>/<target-key>
|
Field sourcing rules:
and
must be quoted directly from the
JSON response.
must come from the returned
field, and
must come from the returned
field. Never rewrite, estimate, normalize, or summarize numeric/media values by hand, including confidence scores, bitrate, resolution, dimensions, frame rate, or codec details.
If you need a textual summary, include the original command or process string in a fenced code block and describe it conservatively. Do not invent parameter values or restate them in free-form prose when they are not explicitly present in the
response.
Final summary constraints:
- Do not insert fixed English filler such as
Task Completed Successfully
- Numeric values such as sample rate, bitrate, resolution, duration, frame rate, and file count must be copied directly from JSON fields or an explicitly performed read-only verification result.
- If a value was not obtained directly from machine output, omit it instead of rewriting, estimating, rounding, or normalizing it by hand.
- If an explicitly performed read-only verification result differs from the requested value, report the actual verified output value and describe the request as only partially satisfied when necessary. Do not replace the verified value with the requested one.
- If no read-only verification result was obtained, do not claim that machine-verifiable output properties were independently confirmed.
If the user forbids local downloads, omit the
row/section entirely and do not create temporary local files for validation. In that case, present only the JSON-backed metadata returned by
, such as
,
,
,
,
, or
.
If
returns a signed URL, treat the full query string as sensitive output. In normal visible summaries, prefer the OSS path, target key, or a redacted URL. Do not expand raw signing parameters into the final summary unless the runtime has a secure private-output channel for secret delivery.
If independent verification was requested but the workflow returned only a signed URL and did not create a persisted OSS target object, do not claim that a follow-up
check was performed on a final output object. Either save the result first and verify the saved object, or state clearly that no persisted-object verification was available.
For image outputs and visual effects such as watermarks, overlays, blur regions, or face redaction, distinguish between metadata verification and visual verification. If the output was not downloaded or rendered locally, do not claim that a visual element was independently confirmed by inspection; state that only the service-reported processing result was verified unless a local render or explicit inspection step was actually performed.
Rules:
- Do not run , , or image after processing for ordinary result reporting. However, if the user explicitly asks you to verify concrete machine-verifiable output properties such as codec, bitrate, sample rate, channel count, duration, resolution, frame rate, width, height, or format, or if the eval/acceptance criteria explicitly require an independent property check, prefer running one additional read-only verification step against a persisted OSS output object and report that verification separately from the main result. Use or for audio/video outputs, and use a separate command for image outputs.
- Do not assume local verification libraries or binaries such as /, , or similar tools are preinstalled. Use them only when they are actually available and the workflow genuinely requires a local-file check; otherwise rely on JSON output and permitted read-only OSS-side checks.
- For image width/height/format verification, prefer OSS-side on the saved target object even if a local file is present. Do not use / as the default verification method for evals or routine skill runs.
- Requests to verify image width, height, format, or similar machine-verifiable properties do not by themselves authorize a local download. If the user did not explicitly request a local file, and a saved OSS target object can be verified with , do not switch to solely for verification.
- Do not use as a substitute for media-property verification.
- Avoid + retry loops; the script handles async polling internally.
- All media processing goes through ; if unsupported, check and report — do not write custom scripts.
Chaining Rules
Image Operations
- Basic operations can be freely chained with each other
- can follow basic ops but must be the last operation
- must be used alone — no chaining
- AI detection (, , , , , ) must be used alone
Video/Audio Operations
- Video/audio operations cannot be chained with image operations
- Only one video/audio operation per request (no chaining)
- For complex workflows, use multiple separate requests
Credential & Environment Setup
Credentials are managed by Aliyun CLI (
). Python scripts auto-discover them via the
SDK default chain. See
Prerequisites above for setup steps.
Diagnostic check:
bash
python scripts/load_env.py
This scans for legacy env vars and verifies RAM permissions. Use this if operations fail with access errors.
Runtime dependency preflight:
checks required Python packages before execution. Basic OSS/file operations require
and
; video/audio/HLS/IMM operations also require the IMM SDK packages from
. If any dependency is missing, the command fails fast with an install hint instead of starting a partial execution.
IMM project — usually discovered by
.
only consumes
/
ALIBABA_CLOUD_IMM_PROJECT
for
.
IMM Auto-Setup
Video/audio processing and image-intelligent features require an IMM project bound to the bucket. Follow this workflow for IMM-dependent operations:
Step 1 — Detect IMM project (before any processing command):
bash
python scripts/imm_admin.py auto-setup --bucket <bucket> --region <region>
This ensures the bucket is bound to a usable IMM project and prints the resolved project name.
Step 2 — Execute the media operation:
bash
python scripts/process.py --source video.mp4 \
--operations "video/convert:f=mp4,vcodec=h264" \
--output-mode save --target-key output/video.mp4
For
, append
--imm-project <project_name>
if you do not want to rely on the optional
ALIBABA_CLOUD_IMM_PROJECT
fallback.
Step 3 — Present results per Execution & Output Workflow above.
Operations that require IMM bucket setup: all video/audio/HLS ops, image-intelligent ops (faces, bodies, cars, codes, labels, score, blindwatermark-embed/extract), smart crop (
/
), face blur (
/
). Only
requires the project name as a direct
input.
Available Operations
Image Processing (Sync)
| Operation | Description | Reference |
|---|
| , , , , | Basic transformations | references/image-basic-operations.md
|
| , , | Quality & format | references/image-basic-operations.md
|
| , , , , | Effects | references/image-basic-operations.md
|
| , , | Utilities | references/image-basic-operations.md
|
| , | Metadata (JSON) | references/image-basic-operations.md
|
Image-Intelligent (IMM)
| Operation | Mode | Description | Reference |
|---|
| Sync | Embed invisible watermark. Must be last in chain. | references/image-imm-operations.md
|
| Async | Extract watermark. Use alone. | references/image-imm-operations.md
|
| , , | Sync | Detect faces/bodies/cars (JSON). | references/image-imm-operations.md
|
| , , | Sync | QR/barcode recognition, labels, quality score (JSON). | references/image-imm-operations.md
|
Video Processing
| Operation | Mode | Description | Reference |
|---|
| Async | Transcode video. Must specify for re-encode. | references/video-operations.md
|
| Sync | Extract single frame. (time ms) required. | references/video-operations.md
|
| Sync | Video metadata (JSON). | references/video-operations.md
|
| Async | Video to GIF/WebP. | references/video-operations.md
|
| Async | Multi-frame extraction. target-key must NOT have extension. | references/video-operations.md
|
| Async | Sprite sheet. Must specify or . | references/video-operations.md
|
| Async | Concatenate videos (max 11). Must verify input params match. | references/video-operations.md
|
Audio Processing
| Operation | Mode | Description | Reference |
|---|
| Async | Transcode audio. | references/audio-operations.md
|
| Async | Concatenate audio files. | references/audio-operations.md
|
| Sync | Audio metadata (JSON). | references/audio-operations.md
|
HLS Streaming
| Operation | Mode | Description | Reference |
|---|
| Sync | HLS playlist (returns a playlist, not a file — use ). | references/video-operations.md
|
File Operations
| Operation | Mode | Description |
|---|
| Sync | Upload local file/URL to OSS. Use with and . |
| Sync | Download OSS object. Use with and . |
Processing Modes
- Synchronous (): image basic processing, , , , , AI detection — results returned immediately
- Asynchronous (): video/audio transcoding, animation, sprite, snapshots, concat, blindwatermark-extract — auto-detected, auto-polled until completion
Usage
bash
python scripts/process.py \
[--bucket BUCKET_NAME] \
[--region REGION_ID] \
(--source OSS_OBJECT_KEY | --uri URI) \
--operations OPERATION [OPERATION ...] \
[--output-mode url|download|save] \
[--expires SECONDS] \
[--output-path LOCAL_PATH] \
[--target-key OSS_TARGET_KEY] \
[--endpoint CUSTOM_ENDPOINT] \
[--imm-project IMM_PROJECT_NAME] \
[--dry-run]
is only consumed by
; other operations rely on IMM bucket binding, not this flag.
Process a file from a local file path or URL (http/https) without pre-uploading. The script auto-uploads to a temp key, processes, and cleans up.
and
are mutually exclusive.
Prints the generated process string and operation details as JSON to stdout, then exits without connecting to OSS.
Operation String Format
Each operation:
. No-param operations use just the name (e.g.,
,
). Video/audio operations use slash notation:
,
.
End-to-End Example
User request:
text
Resize `images/photo.jpg` in OSS to width 600px, add a bottom-right text watermark `Copyright 2026`, and download the result locally. The bucket is `my-media-bucket` in region `cn-shanghai`.
Command:
bash
python scripts/process.py --bucket my-media-bucket --region cn-shanghai \
--source images/photo.jpg \
--operations "resize:w=600" "watermark:text=Copyright 2026,g=se,opacity=60,size=30" \
--output-mode download \
--output-path "$WORKSPACE_OUTPUT/photo-watermarked.jpg"
Expected result shape:
json
{
"success": true,
"mode": "download",
"path": "/absolute/path/to/outputs/photo-watermarked.jpg",
"size": 12345,
"request_id": "xxxxxx"
}
Interpretation:
- means OSS processing completed successfully.
- is the local file path you should present to the user.
- is the server-side request trace ID for troubleshooting.
Additional Examples
bash
# HLS streaming (with IMM auto-setup)
python scripts/imm_admin.py auto-setup --bucket my-bucket --region cn-hangzhou
# → Capture project name from output
python scripts/process.py --bucket my-bucket --region cn-hangzhou \
--source videos/input.mp4 \
--operations "hls/m3u8:ss=15000,t=1800000,vcodec=h264,fps=25,s=1280x720,vb=2000000,acodec=aac,ab=128000" \
--output-mode url
# Upload a local file to OSS
python scripts/process.py --bucket my-bucket --region cn-hangzhou \
--uri /path/to/report.pdf --operations upload --target-key documents/report.pdf
# Download a file from OSS
python scripts/process.py --bucket my-bucket --region cn-hangzhou \
--source documents/report.pdf --operations download --output-path $WORKSPACE_OUTPUT/report.pdf
Edge Cases
- values that contain commas should be quoted. For example:
preprocess="resize:w=200,text=demo,image/logo.png"
- target keys must not include a file extension. Use , not .
- always performs input compatibility checks before task submission. Additional local output validation only runs when the result is also downloaded via .
- Async media polling defaults to 600 seconds. Override with or
ALIBABA_CLOUD_ASYNC_TIMEOUT_SECONDS
- must run alone. can follow basic image operations, but it must be the last operation in the chain.
Error Recovery
| Error | Cause | Recovery |
|---|
| Repeated or twice in a row | Configuration or authorization is still unresolved, and blind retries risk fabricated diagnosis | Stop immediately. Do not simulate output, do not fabricate logs, and do not keep retrying . Run to verify the active CLI profile, then check RAM permissions with python scripts/check_permissions.py
python scripts/load_env.py
|
| IMM project not bound to bucket, or missing / ALIBABA_CLOUD_IMM_PROJECT
| Run python scripts/imm_admin.py auto-setup --bucket <b> --region <r>
|
| Source file does not exist in OSS | Check path, or upload first with and operation |
| / | RAM policy missing required permissions | Run python scripts/check_permissions.py
|
| Wrong parameter format or unsupported combination | Check parameter spelling; verify against docs |
| Async timeout / polling exceeds limit | Job too large or queue backlog | Note the , tell user to retry later; do NOT use loops |
Quick References
- Parameter details:
references/image-basic-operations.md
references/image-imm-operations.md
references/video-operations.md
references/audio-operations.md
- RAM Permissions:
references/ram-policies.md
- Format Support & Limitations:
references/limitations.md
- IMM Administration: