Skill

v0.1.0

Claude Code 多智能体编排平台，部署 100+ 专业 AI 智能体协同工作，通过蜂群拓扑（层级/网状/环形/星形）协调自主工作流，内置自学习、向量记忆和原生 MCP 集成

⭐ 0· 71·0 current·0 all-time

by@cn-big-cabbage

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cn-big-cabbage/claude-flow.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Skill" (cn-big-cabbage/claude-flow) from ClawHub.
Skill page: https://clawhub.ai/cn-big-cabbage/claude-flow
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install claude-flow

ClawHub CLI

Package manager switcher

npx clawhub@latest install claude-flow

Security Scan

Capability signals

CryptoCan make purchasesRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The skill claims to integrate deeply with Claude Code and multiple LLM providers and the SKILL.md/guides show exactly those actions (MCP registration, spawning agents, using Anthropic/OpenAI/Google keys). That functionality reasonably requires provider API keys and system config changes, so the capability matches the purpose. However, the registry metadata lists no required env vars or install steps despite the instructions repeatedly requiring ANTHROPIC_API_KEY (and optional OPENAI/GOOGLE keys) and advising system config edits — this metadata mismatch is inconsistent.

Instruction Scope

The instructions tell the agent (and the user) to: run network installs (curl | bash via jsdelivr), run npx packages, write API keys into .env and shell startup files, and add entries to ~/.claude/settings.json to register an MCP server. The guides explicitly mark the one‑line curl install as 'AI 可自动执行' (AI may automatically execute). Those steps grant broad system modification rights and involve secrets; they go beyond simple read-only integration and give the agent scope to run arbitrary code on the host.

Install Mechanism

Although the registry has no install spec, the docs instruct using 'curl -fsSL https://cdn.jsdelivr.net/gh/ruvnet/ruflo@main/scripts/install.sh | bash' and npx ruflo@latest. Piping an unsigned remote script from a CDN to bash is high risk; npx executes remote npm code (moderate risk). There are no checksums or pinned releases shown in the docs. The download host (jsdelivr -> GitHub user repo) is plausible but unverified in this package metadata.

Credentials

The skill clearly requires an Anthropic API key (and optionally other provider keys) to operate, which is proportionate to a multi‑LLM orchestration tool — but the registry metadata claims no required env vars. The guides also instruct writing keys into .env and shell rc files and embedding them into ~/.claude/settings.json for MCP, which increases the attack surface if the install scripts or agent behavior are malicious or buggy.

ℹ

Persistence & Privilege

The skill does not set always:true and is user-invocable, which is normal. However, it instructs adding a persistent MCP entry to ~/.claude/settings.json and restarting Claude Code, which gives the skill a persistent integration point in the user's Claude Code environment. Combined with the instruction that the AI can 'automatically execute' install steps and the detected prompt‑injection pattern, this persistent integration increases potential impact and should be treated carefully.

Scan Findings in Context

[system-prompt-override] unexpected: The SKILL.md/guides include phrasing like 'AI 可自动执行' and other directive language; the pre-scan flagged a system-prompt-override pattern. A skill that attempts to override or influence the evaluator/agent system prompt is unexpected for an installation guide and is a prompt‑injection red flag.

What to consider before installing

This skill does appear to do what it says (Claude Code multi‑agent orchestration) but there are multiple red flags you should verify before installing: 1) Inspect the upstream repository and the install script (https://cdn.jsdelivr.net/gh/ruvnet/ruflo@main/scripts/install.sh) — do not run curl | bash without auditing its contents. 2) Confirm the npm package 'ruflo/claude-flow' and GitHub project identity and recent history; if the repo is untrusted or empty, don't install. 3) Treat API keys with care: create least‑privilege keys, avoid putting them in global shell rc files, and avoid embedding them into arbitrary config files unless you control those files. 4) Prefer to run installation in an isolated environment (VM/container) first and review logs. 5) Because the docs claim the AI can 'automatically execute' commands and a prompt‑injection pattern was detected, avoid granting the agent autonomous execution on your machine until you have audited the code and scripts. If you cannot validate the origin and contents of the install script and package, consider not installing or limiting exposure (use ephemeral credentials, isolated environment).

guides/03-advanced-usage.md:45

Prompt-injection style instruction pattern detected.

About static analysis

These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk975ma4av7831bcj4axkbvbcad85avz9

71downloads

0stars

1versions

Updated 6d ago

v0.1.0

MIT-0

Claude-Flow — Claude Code 多智能体编排平台

Claude-Flow（现更名为 Ruflo）是专为 Claude Code 设计的企业级多智能体编排框架，将 Claude Code 变成强大的多智能体开发平台。通过 MCP 原生集成，可在 Claude Code 会话中直接协调 100+ 专业智能体（coder、tester、reviewer、architect、security 等），智能体通过蜂群拓扑自组织，支持层级（Queen/Worker）或网状（P2P）协作模式，并具备持续自学习能力。

核心使用场景

复杂软件工程任务：自动分解大型任务，分配给专业智能体并行处理
代码审查与安全审计：同时运行 reviewer、security、tester 智能体进行全面检查
架构设计：architect 智能体协调 researcher、analyst 智能体完成技术选型
自动化测试：tester 智能体批量生成和执行测试，optimizer 智能体分析结果
文档生成：documenter 智能体并发处理多个模块的文档

AI 辅助使用流程

一键安装 — AI 执行 npx ruflo@latest init --wizard 完成 Claude Code MCP 集成
选择智能体 — AI 根据任务选择合适的专业智能体类型
启动蜂群 — AI 启动智能体蜂群，自动设置 Queen/Worker 拓扑
监控协调 — AI 实时查看智能体状态和任务分配
收集成果 — 智能体协作完成后，Queen 整合所有工作成果
知识复用 — 成功模式自动存入向量记忆，未来同类任务直接复用

关键章节导航

安装指南 — npx 安装、MCP 配置、Claude Code 集成
快速开始 — 启动智能体、蜂群模式、对话驱动编排
高级用法 — 自定义智能体、多模型切换、向量记忆、插件
故障排查 — MCP 连接、智能体超时、记忆数据库

AI 助手能力

使用本技能时，AI 可以：

✅ 安装 Claude-Flow 并配置 Claude Code MCP 集成
✅ 启动和配置专业智能体（coder、tester、reviewer 等）
✅ 组建蜂群，设置 Queen/Worker 层级拓扑
✅ 分解复杂任务并分配给最合适的智能体
✅ 监控智能体状态和任务进度
✅ 查询和利用智能体向量记忆中存储的成功模式
✅ 切换不同 LLM 提供商（Claude/GPT/Gemini/Ollama）

核心功能

✅ 100+ 专业智能体 — 涵盖 coder、tester、reviewer、architect、security 等角色
✅ 蜂群协调 — 层级（Queen/Worker）、网状（P2P）、环形、星形拓扑
✅ 容错共识 — Raft、Byzantine、Gossip 三种共识算法
✅ 自学习记忆 — HNSW 向量搜索 + SQLite 持久化，成功模式自动复用
✅ MCP 原生集成 — 310+ MCP 工具，直接在 Claude Code 中使用
✅ 多 LLM 支持 — Claude/GPT/Gemini/Cohere/Ollama，自动故障切换
✅ WASM 优化引擎 — 简单任务跳过 LLM 调用（<1ms），Token 压缩 30-50%
✅ 安全防护 — 内置提示注入防护、路径遍历防护、命令注入拦截
✅ 插件系统 — 自定义 Worker、Hook、Provider，IPFS 市场分发

快速示例

# 一键安装（推荐）
curl -fsSL https://cdn.jsdelivr.net/gh/ruvnet/ruflo@main/scripts/install.sh | bash

# 或通过 npx
npx ruflo@latest init --wizard

# 启动 Claude Code MCP 服务器
npx ruflo@latest mcp start

# 查看可用智能体
npx ruflo@latest agent list

# 启动蜂群处理复杂任务
npx ruflo@latest swarm start --topology hierarchical --agents coder,tester,reviewer

在 Claude Code 对话中直接使用：

# 直接描述任务，Claude-Flow 自动路由到合适智能体
帮我审查 src/auth/ 目录的安全性，需要代码审查、安全扫描和测试覆盖率检查

安装要求

依赖	版本要求
Node.js	>= 18.0
Claude Code	最新版
npm/npx	任意版本
Anthropic API Key	必需（用于 Claude）

项目链接

GitHub：https://github.com/ruvnet/claude-flow
npm：https://www.npmjs.com/package/claude-flow
Discord：https://discord.com/invite/dfxmpwkG2D

Comments

Loading comments...