安装方式
手动下载安装
下载 ZIP 后解压到技能目录即可安装。若在桌面客户端 WebView中直接下载出现异常,本站会改为提示页 + 原始链接,请按页内说明操作。
下载 ZIP (shub-gcp-v1.0.0.zip)触发指令
/google-cloud
跨平台安装指引
该技能声明兼容以下 1 个平台,将 ZIP 解压到对应目录即可被识别。
unzip shub-gcp-v1.0.0.zip -d ~/.claude/skills/
目录不存在时请先
mkdir -p 创建;启用 Skill 后请重启对应 Agent 让配置生效。
使用指南
Google Cloud(综合)
围绕 Google Cloud(综合):GCP 核心概念与 gcloud 常见工作流;与「gcp-networking-audit」等可互补。 无需在每次任务前把零散英文说明手工拼进上下文,也 减少 与客户端默认行为脱节的试错;具体命令、钩子与 JSON 参数仍以 ZIP 包内 SKILL.md 为权威。下文结构与站内 MCP CLI 类专题稿相同:何时用、前置、流程、速查与故障。
何时使用
- GCP 核心概念与 gcloud 常见工作流
- 与「gcp-networking-audit」等可互补
- 已获取本技能 ZIP,并准备在 Claude Code / OpenClaw 中按 SKILL.md 挂载。
- 希望用中文专题稿快速判断「该不该启用」,再深入英文 SKILL 查参数与边界。
- 需要与团队对齐同一套触发方式、目录约定或回调格式时。
前置条件
- 通用:可运行 Claude Code 或文档要求的客户端;有可读写的项目工作区(或 SKILL.md 指定的沙箱目录)。
- 权威细节:API Key / OAuth、钩子路径、环境变量以 ZIP 内 SKILL.md 为准。
典型流程
- 从 ClawHub / 站内分发获取技能 ZIP,校验版本与校验和(若提供)。
- 阅读 SKILL.md 的安装段落:目录落点、客户端类型(Claude Code / OpenClaw / 脚本)。
- 用文档中的最小示例完成第一次调用(单文件修改、单次查询或单次委派)。
- 确认工作目录、权限边界与输出路径后,再处理多文件或长耗时任务。
- 需要回调 / Webhook / 通知时,按 SKILL.md 配置端点并在测试环境先验通。
与 ZIP / SKILL.md 的关系
站内专题稿与 MCP CLI 类 oss 稿同样:概括何时用、怎么接、怎么排错;命令模板、钩子名、JSON 字段、版本矩阵一律以 ZIP 内 SKILL.md 与 ClawHub 上游为准。
命令示例(摘自包内 SKILL.md)
以下为从上游 SKILL.md(或入库正文)自动抽取的终端/脚本片段;路径、环境变量与参数以当前 ZIP 与官方说明为准。
ClawHub slug:gcp(安装命令以 SKILL.md / claw CLI 为准)。
站内入库时的触发命令(完整语义见 ZIP):
# 使用本技能时可在对话中引用或执行上述指令;完整参数与示例见下载包内 SKILL.md。
/google-cloud
最佳实践
- 先 SKILL.md 再猜参数;站内专题稿不替代 schema 与必填字段说明。
- 委派任务时写清验收标准(命令、文件路径、测试命令),减少来回追问。
- 长任务用文档推荐的回调 / 日志落盘代替高频轮询,省 Token 也省机器负载。
- 多技能同时启用时,注意钩子加载顺序与重复工具调用(以 SKILL.md 冲突说明为准)。
调试与排错
- 打开 stderr 与客户端日志;PTY/tmux 场景同时看面板最后几十行输出。
- 参数错误时对照 SKILL.md 中的 JSON/CLI 示例(引号、转义、工作目录)。
- 网络类失败:查代理、防火墙、MCP 传输方式(stdio / HTTP / SSE)。
速查
| 动作 | 说明 |
|------|------|
| 获取技能包 | ClawHub / 站内 ZIP,核对版本 |
| 权威步骤 | 优先阅读 ZIP 内 SKILL.md |
| 首次试跑 | 使用 SKILL.md 最小示例 |
| 验收 | 对照路径、测试命令或回调负载 |
常见故障
- 无输出或立即退出 → 工作目录错误、依赖未装、或 Claude Code 未登录;按 SKILL.md 自检清单执行。
- 权限被拒绝 → 检查沙箱路径、
--permission-mode与工具白名单。 - 与简介不符 → 以英文 SKILL 与上游仓库为准,站内稿仅作结构化导读。
# Google Cloud Production Rules
## Cost Traps
- Stopped Compute Engine VMs still pay for persistent disks and static IPs — delete disks or use snapshots for long-term storage
- Cloud NAT charges per VM and per GB processed — use Private Google Access for GCP API traffic instead
- BigQuery on-demand pricing charges for bytes scanned, not rows returned — partition tables and use `LIMIT` in dev, but `LIMIT` doesn't reduce scan cost in prod
- Preemptible VMs save 80% but can be terminated anytime — only for fault-tolerant batch workloads
- Egress to internet costs, egress to same region is free — keep resources in same region, use Cloud CDN for global distribution
## Security Rules
- Service accounts are both identity and resource — one service account can impersonate another with `roles/iam.serviceAccountTokenCreator`
- IAM policy inheritance: Organization → Folder → Project → Resource — deny policies at org level override allows below
- VPC Service Controls protect against data exfiltration — but break Cloud Console access if not configured with access levels
- Default Compute Engine service account has Editor role — create dedicated service accounts with least privilege
- Workload Identity Federation eliminates service account keys — use for GitHub Actions, GitLab CI, external workloads
## Networking
- VPC is global, subnets are regional — unlike AWS, single VPC can span all regions
- Firewall rules are allow-only by default — implicit deny all ingress, allow all egress. Add explicit deny rules for egress control
- Private Google Access is per-subnet setting — enable on every subnet that needs to reach GCP APIs without public IP
- Cloud Load Balancer global vs regional — global for multi-region, but regional is simpler and cheaper for single region
- Shared VPC separates network admin from project admin — host project owns network, service projects consume it
## Performance
- Cloud Functions gen1 has 9-minute timeout — gen2 (Cloud Run based) allows 60 minutes
- Cloud SQL connection limits vary by instance size — use connection pooling or Cloud SQL Auth Proxy
- Firestore/Datastore hotspotting on sequential IDs — use UUIDs or reverse timestamps for document IDs
- GKE Autopilot simplifies but limits — no DaemonSets, no privileged containers, no host network
- Cloud Storage single object limit is 5TB — use compose for larger, parallel uploads for faster
## Monitoring
- Cloud Logging retention: 30 days default, \_Required bucket is 400 days — create custom bucket with longer retention for compliance
- Cloud Monitoring alert policies have 24-hour auto-close — incident disappears even if issue persists, configure notification channels for re-alert
- Error Reporting groups by stack trace — same error with different messages creates duplicates
- Cloud Trace sampling is automatic — may miss rare errors, increase sampling rate for debugging
- Audit logs: Admin Activity always on, Data Access off by default — enable Data Access logs for security compliance
## Infrastructure as Code
- Terraform google provider requires project ID everywhere — use `google_project` data source or variables, never hardcode
- `gcloud` commands are imperative — use Deployment Manager or Terraform for reproducible infra
- Cloud Build triggers on push but IAM permissions on first run confusing — grant Cloud Build service account necessary roles before first deploy
- Project deletion has 30-day recovery period — but project ID is globally unique forever, can't reuse
- Labels propagate to billing — use consistent labeling for cost allocation: `env`, `team`, `service`
## IAM Best Practices
- Primitive roles (Owner/Editor/Viewer) are too broad — use predefined roles, create custom for least privilege
- Service account keys are security liability — use Workload Identity, impersonation, or attached service accounts instead
- `roles/iam.serviceAccountUser` lets you run as that SA — equivalent to having its permissions, grant carefully
- Organization policies restrict what projects can do — `constraints/compute.vmExternalIpAccess` blocks public VMs org-wide