ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Autogen Multi Agent

v0.1.0

AutoGen v0.4:asyncio actor-runtime 多智能体框架(autogen-core / autogen-agentchat / autogen-ext 三包)。 AutoGen v0.4: asyncio actor-runtime multi-agent framework (auto...

0· 63·0 current·0 all-time
byTang Weigang@tangweigang-jpg

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tangweigang-jpg/autogen-multi-agent.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Autogen Multi Agent" (tangweigang-jpg/autogen-multi-agent) from ClawHub.
Skill page: https://clawhub.ai/tangweigang-jpg/autogen-multi-agent
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install autogen-multi-agent

ClawHub CLI

Package manager switcher

npx clawhub@latest install autogen-multi-agent
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to be a legacy AutoGen multi-agent maintenance/knowledge artifact and provides a seed.yaml for host consumption. Reading seed.yaml and performing environment checks is reasonable for that purpose. However, the skill implicitly requires Python, the zvt package, and network/data providers for backtests — none of these are declared in the skill's metadata (no required binaries or env vars). The primaryEnv = 'knowledge' is not a real credential and does not justify the missing declarations.
!
Instruction Scope
SKILL.md and seed.yaml instruct the host agent to run precondition check_command strings (python3 -c '...') that will execute code on the host, import packages, touch files in ~/.zvt, and run data fetch assertions. The instructions also mandate re-reading seed.yaml on any behavioral decision. Those operations go beyond passive instruction-only behavior and require filesystem and command execution privileges; the skill does not clearly limit or qualify these actions. The doc also warns that AutoGen's 'LocalCommandLineCodeExecutor' sanitization is ineffective — a direct risk if the agent is used to execute generated shell commands.
Install Mechanism
There is no install spec and no code files to install; this lowers supply-chain risk because nothing is downloaded or written by an installer. The skill is instruction-only and bundles references/seed.yaml, so all behavioral rules are local to the package.
!
Credentials
The skill references environment state and variables (e.g., ZVT_HOME, Python 3.10+, presence of zvt package, writable ~/.zvt, and various ChatCompletion clients) but declares no required env vars or binaries. Required runtime credentials/APIs for external data providers are discussed but not declared as required environment variables. This mismatch between declared requirements (none) and actual instructions (explicit filesystem and python dependency checks, potential network access) is an incoherence and a security concern.
Persistence & Privilege
The skill does not request persistent/always-on presence and does not modify other skills' configs. It does expect to read and write under host_workspace paths and ~/.zvt during precondition checks, but these are scoped to the stated backtest/maintenance use case rather than global privilege escalation.
What to consider before installing
This skill is plausibly what it says (AutoGen maintenance/blueprint), but it asks the host agent to run Python commands and touch/read local data directories even though it doesn't declare Python or ZVT as required. It also warns that AutoGen's command-executor sanitization is missing, meaning generated shell commands may be executed unsafely. Before installing or running: (1) review references/seed.yaml yourself to see exactly what check_commands perform; (2) run only in an isolated/sandboxed environment (dedicated VM or container) not on a production machine; (3) ensure required software (python3, zvt) is intentionally present or run checks manually instead of auto-executing the commands; (4) do not provide sensitive credentials or network access unless you audited the skill and the data flows; (5) if you need to run it, consider forcing the agent to only simulate precondition checks or to ask for explicit user approval before executing any shell/python commands.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Primary envknowledge
aivk97c6yyz0ywk2btycb6h5y15wd85gv03apivk97c6yyz0ywk2btycb6h5y15wd85gv03latestvk97c6yyz0ywk2btycb6h5y15wd85gv03mlvk97c6yyz0ywk2btycb6h5y15wd85gv03
63downloads
0stars
1versions
Updated 3d ago
v0.1.0
MIT-0
Tang Weigang@tangweigang-jpg
aiapilatestml
Download

这个 skill 适合什么用户?能做哪些任务?

概览

⚠️ 重要提示:AutoGen v0.4 已进入微软官方维护模式(README:14,21,23),新项目应使用 Microsoft Agent Framework(MAF)。本 skill 仅服务于既有 AutoGen 工程的维护、迁移与排错。

AutoGen 是 asyncio actor-runtime 多智能体框架(github.com/microsoft/autogen)。三个 Python 包:autogen-core(runtime + 基础接口)、autogen-agentchat(高层 AssistantAgent / GroupChat API)、autogen-...

Doramagic 晶体页: https://doramagic.ai/zh/crystal/autogen-multi-agent

知识规模

  • 51 条约束 (2 fatal + 49 non-fatal)
  • 上游源码: microsoft/autogen @ commit 027ecf0a
  • 蓝图 ID: finance-bp-136

用法

Host AI(Claude Code / Cursor / OpenClaw)读 references/seed.yaml,按其中的:

  • intent_router 匹配用户意图
  • architecture 理解项目架构
  • constraints 应用 anti-pattern 约束
  • business_decisions 参考核心设计决策

FAQ 摘要

这个 skill 适合什么用户?能做哪些任务?

主要适合既有 AutoGen 工程的维护团队:排错、迁移到 MAF、向后兼容性补丁。新项目不建议从 AutoGen 起步——用 Microsoft Agent Framework(MAF)。如确需 AutoGen 范式,本 skill 覆盖 actor runtime / GroupChat / Magentic-One 等典型用例。

需要准备什么环境?依赖什么?

Python 3.10+(按包元数据),至少一个 ChatCompletionClient provider(共 9 个:openai / anthropic / azure_openai / azure_ai / ollama / llama_cpp / semantic_kernel / cached / replay;OpenAI 是事实标准)。

会踩哪些坑?这个 skill 怎么防护?

本 skill 内置 51 条约束(2 条 fatal)。CRITICAL 安全坑:(1) LocalCommandLineCodeExecutor 文档声称的 regex 命令消毒并不存在——所有 LLM 生成的命令直接 shell 执行到 host;(2) pyautogen 包现已是 0 字节代理,v0.2 cookbook 代码会三处失败;

完整文档: 见 references/seed.yaml (v6.1 schema). 浏览页: https://doramagic.ai/zh/crystal/autogen-multi-agent

Comments

Loading comments...