← Back to Skills Marketplace
caidongyun

Aagent System

by caidongyun · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
464
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install aagent-system
Description
多智能体自动化系统,用于AI Agent技能样本采集、安全扫描、威胁情报收集和研究分析。支持单机多进程架构,可自动采集样本、检测恶意技能、提取IOC、更新规则。触发命令: /aagent start
README (SKILL.md)

AAgent System

多智能体自动化系统 - 技能安全研究利器

功能

  1. 样本采集 - 从npm/GitHub/ClawHub自动采集技能样本
  2. 安全扫描 - 检测恶意代码、凭证泄露、C2连接
  3. 威胁情报 - 自动收集安全威胁情报
  4. 规则迭代 - 持续优化检测规则

架构

采集层(4进程) → 分析层(2进程) → 研究层(2进程)

使用

启动系统

/aagent start

停止系统

/aagent stop

查看状态

/aagent status

查看样本

/aagent samples

管理命令

# 启动
node ~/.openclaw/workspace/skills/aagent-system/bin/agent-manager.cjs start

# 状态
node ~/.openclaw/workspace/skills/aagent-system/bin/agent-manager.cjs status

# 停止
node ~/.openclaw/workspace/skills/aagent-system/bin/agent-manager.cjs stop

配置

目标样本: 2,000,000

Usage Guidance
This skill's code mostly matches its claimed purpose (collecting and scanning packages), but it also executes shell scripts from the user's home (~) and launches many background processes — behaviors not described in the SKILL.md. Before installing or running it: 1) Inspect the referenced shell scripts (~/aass-scripts/* and ~/aass-dataset/*) or remove those exec calls; 2) Run the skill in a sandboxed environment (VM/container) and limit its network access; 3) Consider limiting process permissions and resource caps (CPU/memory); 4) Confirm the skill's provenance — there is no homepage or owner info beyond an ID; 5) If you cannot audit the external scripts, do not run this on a production or sensitive machine. These steps will reduce the risk that hidden or unrelated local scripts are executed or that the system is overwhelmed by spawned processes.
Capability Analysis
Type: OpenClaw Skill Name: aagent-system Version: 1.0.0 The AAgent System is a complex multi-process crawler designed to collect and scan npm packages for security research. While its stated purpose is benign, it exhibits high-risk behavior by attempting to execute multiple external shell scripts located in the user's home directory (e.g., `~/aass-scripts/3layer_scheduler.sh`, `~/aass-scripts/daily_intel.sh`, and `~/aass-dataset/secure_dataset.sh`) within `agents/analyzer/agent.cjs`, `agents/researcher/agent.cjs`, and `agents/scanner/agent.cjs`. Furthermore, the system is designed to be highly aggressive, with `agents/evolver/agent.cjs` and `agents/orchestrator/agent.cjs` capable of dynamically spawning and managing dozens of background processes. The reliance on unvetted external scripts in the home directory is a significant security risk.
Capability Assessment
Purpose & Capability
Most code (collectors, scanners, perf monitor, evolver, designer) aligns with the stated purpose of automated sample collection and scanning. However several agents call external shell scripts located in the user's home directory (e.g., analyzer: '~/aass-scripts/3layer_scheduler.sh', researcher: '~/aass-scripts/daily_intel.sh', scanner: '~/aass-dataset/secure_dataset.sh'), which are not mentioned in SKILL.md or other documentation and are outside the skill's codebase — this is disproportionate to the described functionality and unexplained.
Instruction Scope
SKILL.md instructs running node agent manager and viewing local data files (samples.json, logs) which is fine. But runtime code extends scope by: executing arbitrary shell scripts in ~ (see analyzer/researcher/scanner), launching background processes with inline shell commands (orchestrator, evolver spawn new agents via exec with '&'), and invoking pgrep to enumerate processes. Those actions read and execute things outside the skill directory and give the skill broad runtime effects beyond simple API scraping and scanning.
Install Mechanism
No install spec (instruction-only install) reduces supply-chain download risk. But this skill includes many JavaScript files that will be placed in the workspace and executed if started — there is no external binary download, which is lower risk than remote installers, but the included code will still spawn processes and run shell commands locally.
Credentials
The skill declares no required environment variables or credentials (appropriate for public registry scraping). That said, it performs network requests to many external endpoints (npm, cnpm, GitHub) and may start scripts in the user's home that could access credentials present there — the code does not request secrets but could execute local shell scripts that read them, which is a potential indirect risk.
Persistence & Privilege
always:false (good). But the orchestrator and evolver intentionally spawn many background Node processes (e.g., startRole uses 'node agents/... > /dev/null 2>&1 &' and evolver executes background nodes in a loop). That grants the skill persistent, multi-process presence and can consume significant system resources or run arbitrary commands (especially combined with execution of home-directory scripts). This persistent process-spawning is more privileged than a simple synchronous skill invocation.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install aagent-system
  3. After installation, invoke the skill by name or use /aagent-system
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of aagent-system: a multi-agent automation platform for AI Agent skill sample collection and security research. - Automates sample collection, malicious code detection, IOC extraction, and rule updates. - Integrates with npm, GitHub, and ClawHub to gather skill samples. - Provides command triggers: /aagent start, stop, status, samples. - Supports multi-process architecture for scalable research and analysis. - Includes management commands for easy system control.
Metadata
Slug aagent-system
Version 1.0.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Aagent System?

多智能体自动化系统,用于AI Agent技能样本采集、安全扫描、威胁情报收集和研究分析。支持单机多进程架构,可自动采集样本、检测恶意技能、提取IOC、更新规则。触发命令: /aagent start. It is an AI Agent Skill for Claude Code / OpenClaw, with 464 downloads so far.

How do I install Aagent System?

Run "/install aagent-system" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Aagent System free?

Yes, Aagent System is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Aagent System support?

Aagent System is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Aagent System?

It is built and maintained by caidongyun (@caidongyun); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments