Detailed description of the scenario's application and purpose.

Diagnose network connectivity, upload/download bandwidth, download time, and local symlink anomalies between the local workstation and OSS using ossutil 2.0 integrated with the Alibaba Cloud CLI.

Architecture: Local Workstation + Alibaba Cloud CLI 3.3.3+ + aliyun ossutil + OSS Bucket + Optional target object or presigned URL + Optional probe domain

Scenario	Recommended Command	Output
Upload connectivity probe	INLINECODE2	Upload duration, object name, log file
Download connectivity probe

aliyun ... ossutil probe --download | Download duration, local file path, log file |
| Upload bandwidth suggestion | aliyun ... ossutil probe --probe-item upload-speed | Suggested concurrency value |
| Download bandwidth suggestion | aliyun ... ossutil probe --probe-item download-speed | Suggested concurrency value |
| Download time measurement | aliyun ... ossutil probe --probe-item download-time | Concurrency/part-size/duration statistics |
| Symlink anomaly check | aliyun ... ossutil probe --probe-item cycle-symlink | Whether abnormal symlinks exist |

Important implementation boundary

• - probe is a composite client-side diagnostic command provided by aliyun ossutil; there is no equivalent aliyun oss api probe.
• INLINECODE11 can only detect abnormal symlinks — it cannot safely auto-fix target paths.
• Probe output can locate symptoms and suggest concurrency, but cannot guarantee an automatic precise root cause for all network anomalies.
• INLINECODE12 requires a real existing object, and the official recommendation is objects larger than 5 MiB. If no suitable object exists, the user must first confirm an existing object path, or confirm a local file to upload via aliyun ossutil cp before probing.

Installation

Pre-check: Aliyun CLI >= 3.3.3 required
Run aliyun version to verify >= 3.3.3. If not installed or version too low,
see references/cli-installation-guide.md for installation instructions.
Then run the credential gate aliyun configure list.
Only after configure list shows a valid profile, run aliyun configure set --auto-plugin-install true and aliyun ossutil version.

Run the version and credential gate first:
CODEBLOCK0

Only after configure list confirms a valid profile, proceed:
CODEBLOCK1

AI safety mode: configure ai-mode enable activates the CLI's built-in safety guard, which blocks dangerous operations (e.g. deleting critical resources) at the CLI level. This must be enabled before executing any ossutil commands.

Environment Variables

Environment Variable	Required/Optional	Description	Default Value
INLINECODE22	Optional	Specify which CLI profile to use	Current default profile
INLINECODE23

Optional | HTTP proxy address in proxied environments | None | | HTTPS_PROXY | Optional | HTTPS proxy address in proxied environments | None | | NO_PROXY | Optional | Proxy bypass list | None |

Parameter Confirmation

IMPORTANT: Parameter Confirmation — Before executing any command or API call,
ALL user-customizable parameters (e.g., RegionId, instance names, CIDR blocks,
passwords, domain names, resource specifications, etc.) MUST be confirmed with the
user. Do NOT assume or use default values without explicit user approval.

Parameter Name	Required/Optional	Description	Default Value
INLINECODE26	Optional	CLI profile to use	Current default profile
INLINECODE27

Optional | Region where the bucket is located; use when auto-detection is unreliable or explicit specification is needed | None | | bucket_name | Required for bucket-based probes | Target bucket name | None | | object_name | Required for download-speed and download-time; optional for other bucket-based probes | Full object path, e.g. dir/example.txt; for download-speed, objects larger than 5 MiB are recommended for stable results | None | | local_path | Optional | Local upload file path, symlink scan directory, or download save path | None | | download_url | Required for URL-based download probe | Public-read URL or signed private URL | None | | endpoint | Optional | Use only when the user explicitly provides it or the error message clearly points to a specific endpoint | None | | addr | Optional | Domain for --addr network connectivity check | www.aliyun.com only if user explicitly accepts | | upmode | Optional | Upload probe mode | normal | | runtime | Optional | Max runtime in seconds for upload-speed / download-speed | CLI default | | parallel | Optional | Single-file concurrency for download-time | 1 | | part_size | Optional | Part size in bytes for download-time | CLI auto/default |

Authentication

Pre-check: Alibaba Cloud Credentials Required
Security Rules:

• - NEVER read, echo, or print AK/SK values (e.g., echo $ALIBABA_CLOUD_ACCESS_KEY_ID is FORBIDDEN)
• NEVER ask the user to input AK/SK directly in the conversation or command line
• NEVER use aliyun configure set with literal credential values
• NEVER read credential files such as ~/.aliyun/config.json, or dump environment variables to inspect credentials
• NEVER write a full presigned URL with query-string signature parameters into logs or final output; if you must mention it, redact everything after INLINECODE53
• ONLY use aliyun configure list to check credential status

> aliyun configure list
> 

Check the output for a valid profile (AK, STS, or OAuth identity).
If no valid profile exists, STOP here.

1. 1. Obtain credentials from Alibaba Cloud Console
2. Configure credentials outside of this session (via aliyun configure in terminal or environment variables in shell profile)
3. Return and re-run after aliyun configure list shows a valid profile

If multiple profiles exist, explicitly add --profile <profile> in subsequent commands, placed after aliyun and before ossutil, e.g. aliyun --profile <profile> ossutil version.

RAM Policy

The minimum OSS permissions required by this skill depend on the probe mode. Refer to references/ram-polices.md for per-scenario permission tables and policy examples.

• - Upload probes, upload bandwidth probes, temporary object probes: require at least oss:GetObject, oss:PutObject, INLINECODE64
• Download probes, download bandwidth probes, download time probes: require at least INLINECODE65
• If using aliyun ossutil cp to pre-upload a test object: requires INLINECODE67
• If using aliyun ossutil rm to clean up an explicitly specified test object: requires INLINECODE69

Core Workflow

1. Validate the CLI environment

Execute in the following order — do not skip steps:

1. 1. Check CLI version first:

aliyun version

1. 2. Then check credentials/profile:

aliyun configure list

1. 3. If configure list does not show a valid profile, or reports a missing config file, STOP immediately.

- Do NOT proceed with configure set --auto-plugin-install true - Do NOT proceed with ossutil version - Do NOT fabricate bucket, object, profile, region, or probe success results

1. 4. Only after the profile is valid, proceed to prepare the plugin, enable AI safety mode, and verify ossutil:

CODEBLOCK5

1.1 Log file naming and command substitution

• - When saving execution logs, use static strings for filenames (e.g. probe_download_time.log). Do not use $(date ...), $(...), or backtick shell command substitutions in filenames, because different execution environments have inconsistent shell interpolation support, which can easily cause syntax errors.
• Some execution environments block $() command substitution entirely. When you need to capture command output into a variable (e.g. for presigned URLs), use the file+script pattern: redirect output to a temporary file, then create a shell script that reads the file and uses the value. See §B for a concrete example.

2. Choose the probe mode

A. Upload connectivity probe

• - If the user only wants network/upload connectivity diagnostics without keeping the object, omit local_path and object_name and let probe use a temporary file that is auto-cleaned after completion.
• If the user wants to verify a specific real file's upload path, confirm local_path.
• If the upload probe returns AccessDenied, quote the error as-is and explain that at least oss:GetObject, oss:PutObject, oss:DeleteObject are required; do not enumerate buckets, regions, or fall back to legacy command forms.

CODEBLOCK6

When LOCAL_PATH_IF_ANY is not provided, remove that positional parameter entirely — do not pass an empty string.

B. Download probe via URL

• - Public-read objects: have the user confirm a directly accessible URL.
• Private objects: generate a presigned URL first, then run probe --download --url.

Generate a presigned URL, save it to a temporary file, then run the probe via a shell script. This two-step approach avoids exposing the full URL in command history and works in environments where $() command substitution is blocked.

Step 1 — Generate the presigned URL and redirect output to a temporary file:
CODEBLOCK7

Step 2 — Create a probe script that reads the URL from the file and runs the download probe:
CODEBLOCK8

Important — you MUST use probe --download --url with the presigned URL:

• - Never copy-paste the full presigned URL directly into the --url parameter — use the file+script pattern above so the URL is never exposed in command history or execution logs.
• If /tmp/ is not writable, use the current workspace directory for the temporary file and script instead.

INLINECODE92 only accepts HTTP/HTTPS URLs — it cannot take oss://bucket/object.

• - A successful ossutil presign only means the signed URL was generated; it does not guarantee the bucket or object exists, nor that the subsequent download will succeed.
• If you need to log the execution, do not persist the full presigned URL; at most keep the object address without the query string, or redact all signature parameters after ?.
• If probe --download --url returns 404/403, quote the raw HTTP error first; if the bucket/object was already confirmed input, you may do one ossutil stat validation with the same bucket + object + region. Do not try to "guess" the root cause by listing buckets, trying random regions, or reading local credential files.

C. Download probe via Bucket/Object

• - If the user confirmed object_name, the command will download that object directly.
• If the user does not provide object_name, probe will create a temporary object, download it, and delete the temporary object after completion.

CODEBLOCK9

• - If the command reports NoSuchBucket, NoSuchKey, or other object-level errors, prefer running ossutil stat "oss://<BUCKET_NAME>/<OBJECT_NAME>" --region "<REGION_ID_IF_NEEDED>" for same-target validation.
• Do not list all buckets, try unconfirmed regions, or switch to aliyun oss api / GetBucketLocation or other commands outside this skill's scope to confirm whether the object exists.

D. Local symlink anomaly probe

This mode only checks local directory/file paths — it does not access OSS.

CODEBLOCK10

• - If the command returns stat <path>: no such file or directory, explicitly state that the local path does not exist in the current execution environment; this is still a local-only flow with no OSS access.
• When the local path does not exist, you must NEVER:

- Interpret it as "this is a containerized/sandbox environment limitation" - Automatically rewrite it as "the user should run on another machine/production environment" - Generate a script file saying "run this command in the correct environment" - Check the parent directory with ls and then give up

Correct approach: Quote the raw error stat <path>: no such file or directory, explicitly tell the user the path does not exist in the current environment, and ask whether they provided the correct path. Unless the user proactively states the current session is not on the target machine, do not make that judgment for them.

When reporting results of this probe, include at minimum:

• - This is a local-only flow — no OSS access occurred
• Which symlinks are abnormal and which link chains were directly verified; if only partial chains can be verified, clearly distinguish "confirmed chain segments" from "anomaly points proven by probe errors", e.g. loop-b -> loop-a, and resolving loop-a reports INLINECODE112
• If the probe output contains raw errors, quote at least one key error, e.g. INLINECODE113
• Minimum fix prerequisites, e.g. break one of the cyclic links or re-point the abnormal link to a real target before retrying

If you need to clarify the abnormal link chain, you may perform read-only local forensics on the same path (e.g. readlink, stat -f "%N -> %Y"). Only write precise chains when these supplementary results are actually readable; if the supplementary forensics itself fails, report only verified segments — do not fabricate a complete cycle.

If the output lists abnormal symlinks, the user or a local script must fix them according to business semantics; this skill does not auto-rewrite symlink targets.

E. Upload bandwidth probe with suggested concurrency

Basic command:
CODEBLOCK11

To limit runtime, add:
CODEBLOCK12

Successful output will contain suggest parallel is <N>.

F. Download bandwidth probe with suggested concurrency

• - object_name is required.
• Official recommendation: target object should be larger than 5 MiB.
• If the user has no suitable object, first confirm a local file path, then upload a cleanable test object via aliyun ossutil cp.

Optional preparation step:
CODEBLOCK13

Run download bandwidth probe:
CODEBLOCK14

G. Download time probe

Basic command:
CODEBLOCK15

To explicitly control concurrency and part size, add:
CODEBLOCK16

INLINECODE119 and --part-size are only meaningful in the download-time scenario; do not misuse them with upload-speed.

3. Interpret the output

• - When upload/download probes succeed, the output will contain upload file:success or INLINECODE124
• When bandwidth probes succeed, the output will contain multiple parallel:<N> statistics and INLINECODE126
• When download time probes succeed, the output will contain total bytes, cost, INLINECODE129
• All probe modes typically generate a logOssProbe*.log local log file; after probe execution, you must check whether logOssProbe*.log was generated in the current directory and report the log path in the final answer
• If a real command returns an error or has no success marker, the final conclusion must explicitly state failure/blocked and quote the raw error message — do not write "task completed successfully" or describe a failure as successful verification
• When a command fails, the final answer must explicitly state the termination reason (e.g. "stopped due to AccessDenied", "stopped due to path not found") — do not end silently
• For errors like The bucket you are attempting to access must be addressed using the specified endpoint, this only means the current access endpoint does not match the bucket's requirements; stop immediately, ask the user to confirm the correct region/endpoint — do not infer or try other region/endpoints on your own

See references/verification-method.md for more detailed verification steps.

Success Verification Method

Follow the steps in references/verification-method.md to confirm each item:

1. 1. CLI version and profile are valid
2. Probe output contains success markers or suggested concurrency
3. You must run ls logOssProbe*.log to check whether log files were generated locally, and report the log path in the final answer; if no log files were generated, it means the probe may not have reached the actual probing stage
4. If an explicit test object was used, confirm whether it should be retained or enter the cleanup step
5. If any of the above steps fail, the final answer must explicitly state failure and quote the raw error with termination reason

Cleanup

• - Upload/download connectivity probes without an explicit --object will auto-clean temporary objects
• If you explicitly uploaded a test object in the download-speed preparation step, decide whether to delete it based on user confirmation after probing

Delete an OSS test object:
CODEBLOCK17

If a temporary test file was downloaded locally, it should also be deleted or retained based on user confirmation.

After all probe and cleanup steps are finished, disable AI safety mode:
CODEBLOCK18

API and Command Tables

For all commands, underlying OSS capability mappings, and which steps are local client-side logic only, see references/related-apis.md.

Best Practices

1. 1. Always use aliyun ossutil probe — do not fabricate non-existent commands like INLINECODE140
2. Confirm all user-variable parameters before execution, especially bucket_name, object_name, download_url, INLINECODE144
3. Only retain probe objects when the user explicitly confirms; otherwise prefer temporary objects or explicit cleanup
4. For download-speed, choose a real object larger than 5 MiB for more stable results
5. In proxy, dedicated line, or custom domain scenarios, explicitly confirm --addr, --region, INLINECODE148
6. Use suggest parallel is <N> as an empirical baseline, then do small-scale validation combined with actual business concurrency
7. For cycle-symlink, only diagnose — do not auto-fix
8. After command failure, prefer same-target validation (e.g. ossutil stat) — do not expand into listing buckets, guessing regions, trying unsupported flags, or reading local credential files
9. Do not expose AK/SK, STS tokens, or full presigned URL query strings in logs or final results
10. A successful presign, resolvable DNS, or reachable ping/traceroute does not guarantee the object exists or that the probe will succeed; conclusions must be based on actual probe/validation results

Reference Links

Reference	Purpose
INLINECODE152	Installing and upgrading Aliyun CLI
INLINECODE153

Checking success by probe mode | | references/related-apis.md | Command to underlying OSS capability/permission mapping | | references/ram-polices.md | RAM permission checklist and policy examples | | references/acceptance-criteria.md | Skill acceptance criteria and counter-examples | | references/implementation-boundaries.md | Boundaries that cannot be fully automated via CLI or code |