A2a Manager
v1.0.0Manage agent creation, Discord channels/roles, agent-to-agent task coordination, sub-agent spawning, A2A_MAP updates, and Notion-based task workflows.
⭐ 0· 368·1 current·1 all-time
byCuong Pahm@nyrosveil
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims full Discord channel/role management but the provided discord_manager simulates operations by writing a local config file rather than calling the Discord API (no Discord token is requested). Conversely, the Notion integration does call the Notion API but the skill registry metadata did not declare any required credential (NOTION_API_KEY or ~/.config/notion/api_key). The file-based agent workspace creation/deletion behavior aligns with the 'create agent' purpose, but the mismatch around Discord & Notion credentials is incoherent and surprising for a user who expects direct Discord changes.
Instruction Scope
Runtime instructions (and the code) read and write many files under the user's home directory (~/.openclaw/workspace and ~/.config/notion/api_key), create and delete agent workspaces, spawn 'specialists' as JSON files and can remove them, and produce logs. These file operations are within the claimed domain, but the SKILL.md did not call out that it will create/delete files and potentially remove agent workspaces. Also some code paths (Notion API calls) require a secret key the SKILL.md doesn't declare. There are also apparent coding bugs (e.g., malformed assignment in task_board.create_task) which could cause runtime failures.
Install Mechanism
There is no install spec — this is instruction+code only and nothing is downloaded or executed automatically on install. That lowers installation risk; however the included Python scripts will run on the host with access to user files if invoked.
Credentials
The code attempts to read a Notion API key from ~/.config/notion/api_key or the NOTION_API_KEY environment variable but the skill's manifest did not declare this requirement. No Discord token is requested even though the skill claims Discord management (the code purposely simulates Discord actions). Requesting/using a Notion API key is reasonable for Notion integration, but the omission from declared requirements is a red flag and should be surfaced to users before granting secrets.
Persistence & Privilege
The skill does not request persistent platform privileges (always: false). It persists its own state under ~/.openclaw/workspace (log files, configs, agent workspaces, specialist JSON files), which is normal for a manager tool but means it will leave files on disk. It does include delete routines (delete_agent, dispose_specialist) that can remove those workspace directories — expected for this kind of skill but destructive to on-disk agent workspaces if used.
Scan Findings in Context
[no_findings] unexpected: Static pre-scan reported no regex matches, but the code nevertheless accesses sensitive locations (Notion API key file ~/.config/notion/api_key or env NOTION_API_KEY) and performs filesystem writes/deletes under ~/.openclaw/workspace. Absence of regex hits does not mean there are no security-relevant behaviors.
What to consider before installing
Read this before installing or running: (1) The package will create and remove files under your home directory (~/.openclaw/workspace) including agent workspaces and logs — run it in an isolated environment or backup that directory first. (2) Notion integration requires a Notion API key (it looks for ~/.config/notion/api_key or NOTION_API_KEY) but that credential was not declared in the registry metadata — do not supply secrets until you confirm the code and trust the author. (3) Discord management is simulated locally (writes a local discord_config.json) rather than using the Discord API; if you expect the skill to act on your Discord server you should verify it actually uses a Discord token and the official API. (4) The code contains some clear bugs (e.g., malformed assignment in task_board.create_task) — expect runtime errors; review the full source before use. (5) If you need to proceed: run the scripts in a throwaway account/container, inspect and, if desired, modify the code to require and validate explicit env vars and to avoid destructive delete() calls without confirmation. If you can, ask the author to: declare required env vars in metadata (NOTION_API_KEY), document exactly which filesystem paths it will write, and clarify whether Discord operations will ever call the real Discord API and require a Discord token.Like a lobster shell, security has layers — review code before you run it.
latest
Cuong Pahm@nyrosveil
DownloadA2A Manager
Trigger Phrases
| Trigger | Action |
|---|---|
| "tạo agent", "thêm nàng" | Tạo agent mới |
| "tạo channel" | Tạo Discord channel |
| "spawn specialist" | Tạo sub-agent tạm thời |
| "task board", "quản lý task" | Notion task management |
| "quản lý agent" | Agent registry management |
| "điều phối", "phân công" | Task orchestration |
| "A2A", "map" | A2A_MAP management |
| "tìm agent" | Lookup agent |
Agent Types (Task-Steward Inspired)
1. Specialized Agents (Permanent)
Core agents - Sống trong workspace, có identity riêng
- Coordinator: C.C. - Điều phối chính
- Orchestrator: Makima - Phối hợp nhiều agent
- Worker: Winry, Motoko - Thực thi task
- QA: Jalter, Violet - Verify chất lượng
2. Role-specific Agents
Theo chức năng cụ thể
3. Specialists (Sub-agents)
Tạm thời - Sinh ra để làm task cụ thể, xong.Dispose
| Type | Use Case | Model |
|---|---|---|
| temp_worker | Task đơn giản | flash |
| researcher | Nghiên cứu sâu | pro |
| coder | Code task | glm4 |
| qa_reviewer | Verify work | flash |
| runner | Chạy lệnh | flash |
Workflow (Task-Steward với Notion)
Task States
| State | Notion Status | Description |
|---|---|---|
| NOW | Now/Today | Ưu tiên cao |
| WAITING | Waiting | Chờ input |
| IN_PROGRESS | In Progress | Đang làm |
| REVIEW | Ready for Review | Chờ QA |
| DONE | Done | Hoàn thành |
Workflow
Master → Task Request
↓
C.C. (Coordinator) → Classify: Q&A or Task?
↓
Q&A → Answer immediately
Task → Notion Task Board → Execute (spawn Specialist) → QA → Deliver
Scripts
A2A Map
a2a_map.py- Quản lý A2A_MAP.md- Template từ references/A2A_MAP.md
- Validation: agent, model, status
- Versioning + Rollback
- Init tạo workspace/A2A_MAP.md từ template
Task Board (Notion)
task_board.py- Quản lý task trên Notion- Setup database
- Create/Update/List tasks
- Workflow: start, block, complete, approve, reject
Discord
discord_manager.py- Quản lý Category/Channel/Role
Specialist Management
specialist_manager.py- Spawn/dispose sub-agents
Agent Creation
create_agent.py- Tạo agent mới
Quick Actions
A2A Map
# Validate map
python a2a_map.py validate
# Versions
python a2a_map.py versions
Task Board (Notion)
python task_board.py setup <database_id>
python task_board.py create "Fix bug" "Mô tả"
python task_board.py start <task_id>
python task_board.py complete <task_id>
python task_board.py approve <task_id>
Specialists
python specialist_manager.py spawn coder "Fix bug" Winry
python specialist_manager.py list
python specialist_manager.py dispose <spec_id>
Files
- a2a_map.py - Core map (template trong script)
- task_board.py - Notion task management
- specialist_manager.py - Sub-agent management
- create_agent.py - Agent creation
- discord_manager.py - Discord management
Comments
Loading comments...