Back to Details

alibabacloud-sas-openclaw-security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

OpenClaw Security Operations

OpenClaw 安全操作

Perform comprehensive security operations on the OpenClaw environment by calling Alibaba Cloud Security Center (SAS) and ECS APIs via the aliyun CLI.
通过 aliyun CLI 调用阿里云安全中心(SAS)和 ECS API 对 OpenClaw 环境执行全链路安全操作。

Workflow

工作流

Execute security operations in the following order:
  1. Query Instances: Understand the OpenClaw deployment (SCA component query)
  2. Check Security: Three-dimensional check — vulnerabilities, baselines, alerts
  3. Deep Dive: Correlation analysis for identified risks
  4. Remediate: Handle risks with reference to the remediation guide (guidance only)
  5. Recommend: Recommend Alibaba Cloud security products based on risks
  6. Daily Report: Generate a security daily report summary
For the detailed workflow, see references/security_workflow.md.
按照以下顺序执行安全操作:
  1. 查询实例:了解 OpenClaw 部署情况(SCA 组件查询)
  2. 安全检查:三维度检测——漏洞、基线、告警
  3. 深度分析:对识别到的风险做关联分析
  4. 风险修复:参考修复指南处理风险(仅提供指导)
  5. 方案推荐:根据风险情况推荐阿里云安全产品
  6. 日报生成:生成安全日报汇总
详细工作流请参考 references/security_workflow.md

Prerequisites

前置条件

All API calls are made through the aliyun CLI. Complete the following steps before use:
所有 API 调用都通过 aliyun CLI 完成,使用前请完成以下步骤:

1. Confirm aliyun CLI Is Installed

1. 确认 aliyun CLI 已安装

Run the aliyun command to check installation status:
bash
aliyun version
运行 aliyun 命令检查安装状态:
bash
aliyun version

2. Check Credential Configuration

2. 检查凭证配置

bash
aliyun sts GetCallerIdentity
If not yet configured, run 
aliyun configure
and follow the prompts. Credentials are stored in 
~/.aliyun/config.json
.
Do not hard-code AK/SK in scripts or environment variables. Manage credentials uniformly via 
aliyun configure
. Never output credentials in plaintext under any circumstances, including access_key_id and access_key_secret.
bash
aliyun sts GetCallerIdentity
如果尚未配置,运行 
aliyun configure
按照提示完成配置。凭证存储在 
~/.aliyun/config.json
中。
不要在脚本或环境变量中硬编码 AK/SK,通过 
aliyun configure
统一管理凭证。 任何情况下都不要明文输出凭证,包括 access_key_id 和 access_key_secret。

3. Note on region-id Handling

3. region-id 处理注意事项

When using Security Center (SAS) and Security Guardrail (AISC) features, only two regions are supported: 
cn-shanghai
(Mainland China) and 
ap-southeast-1
(outside Mainland China).
When using Cloud Assistant (ECS) features, the region-id is directly tied to the ECS instance region. Use 
query_asset_detail
to look up the instance region-id by Security Center UUID.
使用安全中心(SAS)和安全护栏(AISC)功能时,仅支持两个地域:
cn-shanghai
(中国内地)和 
ap-southeast-1
(中国内地以外)。
使用云助手(ECS)功能时,region-id 与 ECS 实例地域直接绑定,可使用 
query_asset_detail
通过安全中心 UUID 查询实例的 region-id。

4. Confirm RAM Permissions

4. 确认 RAM 权限

All CLI calls in this Skill require the corresponding RAM Action authorizations for each cloud service. The minimum permission policy is documented in references/ram-policies.md.
本技能中所有 CLI 调用都需要对应云服务的 RAM Action 授权,最小权限策略已在 references/ram-policies.md 中说明。

About User-Agent

关于 User-Agent

All aliyun CLI calls made through 
base_client.py
automatically append 
--user-agent AlibabaCloud-Agent-Skills
. No manual configuration is needed.
所有通过 
base_client.py
发起的 aliyun CLI 调用都会自动追加 
--user-agent AlibabaCloud-Agent-Skills
,无需手动配置。

Quick Start

快速开始

Query OpenClaw Instances

查询 OpenClaw 实例

List all deployed OpenClaw components, showing hostname, IP, and version.
bash
python -m scripts.query_openclaw_instances \
    --name-pattern openclaw --biz sca_ai
列出所有已部署的 OpenClaw 组件,展示主机名、IP 和版本。
bash
python -m scripts.query_openclaw_instances \
    --name-pattern openclaw --biz sca_ai

Query Asset Details

查询资产详情

Query detailed information (OS, IP, disk, client status, etc.) for a single machine by UUID.
bash
python -m scripts.query_asset_detail --uuid <UUID>
通过 UUID 查询单台机器的详细信息(操作系统、IP、磁盘、客户端状态等)。
bash
python -m scripts.query_asset_detail --uuid <UUID>

Multiple UUIDs separated by commas

多个 UUID 用英文逗号分隔

python -m scripts.query_asset_detail --uuid <UUID1>,<UUID2>
undefined
python -m scripts.query_asset_detail --uuid <UUID1>,<UUID2>
undefined

Check Vulnerabilities

检测漏洞

Query unresolved emergency vulnerabilities related to OpenClaw, and output a vulnerability list with remediation recommendations.
bash
python -m scripts.check_openclaw_vulns \
    --name "emg:SCA:AVD-2026-1860246" --type emg --dealed n
查询 OpenClaw 相关的未解决紧急漏洞,输出带修复建议的漏洞列表。
bash
python -m scripts.check_openclaw_vulns \
    --name "emg:SCA:AVD-2026-1860246" --type emg --dealed n

View only critical vulnerabilities

仅查看 critical 级别漏洞

python -m scripts.check_openclaw_vulns --necessity asap
undefined
python -m scripts.check_openclaw_vulns --necessity asap
undefined

Check Baseline Risks

检查基线风险

Query a baseline check result summary by UUID. Specify 
--risk-id
to drill into the check details for a specific risk item.
bash
undefined
通过 UUID 查询基线检查结果汇总,指定 
--risk-id
可下钻查看特定风险项的检查详情。
bash
undefined

Summary only

仅查看汇总信息

python -m scripts.check_openclaw_baseline --uuid <UUID>
python -m scripts.check_openclaw_baseline --uuid <UUID>

Drill into a specific risk item

下钻查看特定风险项

python -m scripts.check_openclaw_baseline --uuid <UUID> --risk-id 320
undefined
python -m scripts.check_openclaw_baseline --uuid <UUID> --risk-id 320
undefined

Check Alerts

检查告警

Query unhandled security alerts, filterable by severity or host.
bash
python -m scripts.check_openclaw_alerts --dealed N
查询未处理的安全告警,可按严重程度或主机过滤。
bash
python -m scripts.check_openclaw_alerts --dealed N

View only critical alerts

仅查看 critical 级别告警

python -m scripts.check_openclaw_alerts --dealed N --levels serious
python -m scripts.check_openclaw_alerts --dealed N --levels serious

Filter by specific hosts

按指定主机过滤

python -m scripts.check_openclaw_alerts --uuids <UUID1>,<UUID2>
undefined
python -m scripts.check_openclaw_alerts --uuids <UUID1>,<UUID2>
undefined

Push Check Tasks

推送检查任务

Trigger vulnerability scans and baseline checks for specified machines. Confirm the UUID before execution.
bash
python -m scripts.push_openclaw_check_tasks --uuid <UUID>
为指定机器触发漏洞扫描和基线检查,执行前请确认 UUID 正确。
bash
python -m scripts.push_openclaw_check_tasks --uuid <UUID>

Install Security Guardrail

安装安全护栏

Deploy the security guardrail to a specified ECS instance via Cloud Assistant. Automatically waits for installation to complete and outputs the result.
bash
python -m scripts.install_security_guardrail \
    --instance-ids i-abc123 --region cn-hangzhou
通过云助手将安全护栏部署到指定 ECS 实例,自动等待安装完成并输出结果。
bash
python -m scripts.install_security_guardrail \
    --instance-ids i-abc123 --region cn-hangzhou

Multiple machines

多台机器部署

python -m scripts.install_security_guardrail
--instance-ids i-abc123,i-def456
undefined
python -m scripts.install_security_guardrail
--instance-ids i-abc123,i-def456
undefined

Query Guardrail Status

查询护栏状态

Detect the running status of the security guardrail on target machines via Cloud Assistant, used for post-installation verification.
bash
python -m scripts.query_guardrail_status \
    --instance-ids i-abc123 --region cn-hangzhou
通过云助手检测目标机器上安全护栏的运行状态,用于安装后验证。
bash
python -m scripts.query_guardrail_status \
    --instance-ids i-abc123 --region cn-hangzhou

Run Cloud Assistant Command

运行云助手命令

Remotely execute any Shell command on ECS instances, waiting for results in real time and returning the output.
bash
python -m scripts.run_cloud_assistant_command \
    --instance-ids i-abc123 \
    --command "uname -a" \
    --region cn-hangzhou
Notes:
  1. The Cloud Assistant region must match the ECS instance region. SAS defaults to 
    cn-shanghai
    ; ECS defaults to 
    cn-hangzhou
    .
  2. Escape 
    $()
    in commands as 
    \$()
    .
  3. Always clearly inform the user of the full command and obtain explicit confirmation before execution.
在 ECS 实例上远程执行任意 Shell 命令,实时等待结果并返回输出。
bash
python -m scripts.run_cloud_assistant_command \
    --instance-ids i-abc123 \
    --command "uname -a" \
    --region cn-hangzhou
注意:
  1. 云助手地域必须与 ECS 实例地域匹配。SAS 默认使用 
    cn-shanghai
    ;ECS 默认使用 
    cn-hangzhou
  2. 命令中的 
    $()
    需要转义为 
    \$()
  3. 执行前必须明确告知用户完整命令内容并获得用户明确确认。

Generate Security Daily Report

生成安全日报

One-click aggregation of four dimensions — instances, vulnerabilities, baselines, and alerts — outputting a Markdown report to the 
output/
directory.
bash
python -m scripts.generate_security_report
一键聚合实例、漏洞、基线、告警四个维度的数据,输出 Markdown 格式报告到 
output/
目录。
bash
python -m scripts.generate_security_report

Script Reference

脚本参考

ScriptPurposeRequired ArgsOptional Args (Common)
query_openclaw_instances.py
Query OpenClaw SCA instance list
--name-pattern
, 
--biz
, 
--max-pages
query_asset_detail.py
Query asset details by UUID (host/OS/disk/client status)
--uuid
--region
check_openclaw_vulns.py
Query unresolved vulnerabilities
--name
, 
--type
, 
--dealed
, 
--necessity
, 
--uuids
check_openclaw_baseline.py
Query baseline check results by UUID
--uuid
--risk-id
(drill into a specific risk item)
check_openclaw_alerts.py
Query security alert events
--dealed
, 
--levels
, 
--uuids
, 
--name
push_openclaw_check_tasks.py
Push vulnerability and baseline check tasks (trigger scan)
--uuid
--tasks
get_ai_agent_plugin_command.py
Get AI Security Assistant installation command
--output-dir
install_security_guardrail.py
Install security guardrail via Cloud Assistant
--instance-ids
--region
, 
--timeout
, 
--username
query_guardrail_status.py
Query guardrail installation/running status via Cloud Assistant
--instance-ids
--region
, 
--timeout
run_cloud_assistant_command.py
Remotely execute commands on ECS via Cloud Assistant
--instance-ids
, 
--command
--region
, 
--type
, 
--timeout
, 
--username
generate_security_report.py
Aggregate four-dimension security daily report (instances/vulns/baseline/alerts)
--vuln-name
, 
--name-pattern
, 
--region
All scripts support 
--region
and 
--output-dir
parameters (
run_cloud_assistant_command.py
does not support 
--output-dir
).
脚本用途必选参数可选参数(通用)
query_openclaw_instances.py
查询 OpenClaw SCA 实例列表
--name-pattern
, 
--biz
, 
--max-pages
query_asset_detail.py
通过 UUID 查询资产详情(主机/操作系统/磁盘/客户端状态)
--uuid
--region
check_openclaw_vulns.py
查询未解决漏洞
--name
, 
--type
, 
--dealed
, 
--necessity
, 
--uuids
check_openclaw_baseline.py
通过 UUID 查询基线检查结果
--uuid
--risk-id
(下钻查看特定风险项)
check_openclaw_alerts.py
查询安全告警事件
--dealed
, 
--levels
, 
--uuids
, 
--name
push_openclaw_check_tasks.py
推送漏洞和基线检查任务(触发扫描)
--uuid
--tasks
get_ai_agent_plugin_command.py
获取 AI 安全助手安装命令
--output-dir
install_security_guardrail.py
通过云助手安装安全护栏
--instance-ids
--region
, 
--timeout
, 
--username
query_guardrail_status.py
通过云助手查询护栏安装/运行状态
--instance-ids
--region
, 
--timeout
run_cloud_assistant_command.py
通过云助手在 ECS 上远程执行命令
--instance-ids
, 
--command
--region
, 
--type
, 
--timeout
, 
--username
generate_security_report.py
聚合四个维度的安全日报(实例/漏洞/基线/告警)
--vuln-name
, 
--name-pattern
, 
--region
所有脚本都支持 
--region
--output-dir
参数(
run_cloud_assistant_command.py
不支持 
--output-dir
)。

Cloud Assistant Security Rules

云助手安全规则

Before executing any command via Cloud Assistant, the following rules must be followed:
  1. Clearly inform the user of the full command content to be executed.
  2. Require the user to explicitly confirm (reply with agreement) before executing the command.
  3. If the user has not confirmed or the command is high-risk, execution is prohibited.
通过云助手执行任何命令前,必须遵守以下规则:
  1. 明确告知用户待执行的完整命令内容。
  2. 执行命令前需要用户明确确认(回复同意)。
  3. 用户未确认或命令属于高风险命令时,禁止执行。

Output Strategy

输出策略

All query results and reports are saved to the 
output/
directory:
  • JSON format: Raw API response data, for programmatic consumption
  • Markdown format: Human-readable reports, for display and archiving
所有查询结果和报告都保存到 
output/
目录:
  • JSON 格式:API 原始响应数据,供程序调用
  • Markdown 格式:人类可读的报告,用于展示和归档

References

参考文档

  • API Parameter Reference
  • Security Operations Workflow
  • Remediation and Product Recommendations
  • RAM Permission Policies
  • API 参数参考
  • 安全操作工作流
  • 修复方案与产品推荐
  • RAM 权限策略