← 返回 Skills 市场
Aagent System
作者
caidongyun
· GitHub ↗
· v1.0.0
· MIT-0
464
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install aagent-system
功能描述
多智能体自动化系统,用于AI Agent技能样本采集、安全扫描、威胁情报收集和研究分析。支持单机多进程架构,可自动采集样本、检测恶意技能、提取IOC、更新规则。触发命令: /aagent start
使用说明 (SKILL.md)
AAgent System
多智能体自动化系统 - 技能安全研究利器
功能
- 样本采集 - 从npm/GitHub/ClawHub自动采集技能样本
- 安全扫描 - 检测恶意代码、凭证泄露、C2连接
- 威胁情报 - 自动收集安全威胁情报
- 规则迭代 - 持续优化检测规则
架构
采集层(4进程) → 分析层(2进程) → 研究层(2进程)
使用
启动系统
/aagent start
停止系统
/aagent stop
查看状态
/aagent status
查看样本
/aagent samples
管理命令
# 启动
node ~/.openclaw/workspace/skills/aagent-system/bin/agent-manager.cjs start
# 状态
node ~/.openclaw/workspace/skills/aagent-system/bin/agent-manager.cjs status
# 停止
node ~/.openclaw/workspace/skills/aagent-system/bin/agent-manager.cjs stop
配置
目标样本: 2,000,000
安全使用建议
This skill's code mostly matches its claimed purpose (collecting and scanning packages), but it also executes shell scripts from the user's home (~) and launches many background processes — behaviors not described in the SKILL.md. Before installing or running it: 1) Inspect the referenced shell scripts (~/aass-scripts/* and ~/aass-dataset/*) or remove those exec calls; 2) Run the skill in a sandboxed environment (VM/container) and limit its network access; 3) Consider limiting process permissions and resource caps (CPU/memory); 4) Confirm the skill's provenance — there is no homepage or owner info beyond an ID; 5) If you cannot audit the external scripts, do not run this on a production or sensitive machine. These steps will reduce the risk that hidden or unrelated local scripts are executed or that the system is overwhelmed by spawned processes.
功能分析
Type: OpenClaw Skill
Name: aagent-system
Version: 1.0.0
The AAgent System is a complex multi-process crawler designed to collect and scan npm packages for security research. While its stated purpose is benign, it exhibits high-risk behavior by attempting to execute multiple external shell scripts located in the user's home directory (e.g., `~/aass-scripts/3layer_scheduler.sh`, `~/aass-scripts/daily_intel.sh`, and `~/aass-dataset/secure_dataset.sh`) within `agents/analyzer/agent.cjs`, `agents/researcher/agent.cjs`, and `agents/scanner/agent.cjs`. Furthermore, the system is designed to be highly aggressive, with `agents/evolver/agent.cjs` and `agents/orchestrator/agent.cjs` capable of dynamically spawning and managing dozens of background processes. The reliance on unvetted external scripts in the home directory is a significant security risk.
能力评估
Purpose & Capability
Most code (collectors, scanners, perf monitor, evolver, designer) aligns with the stated purpose of automated sample collection and scanning. However several agents call external shell scripts located in the user's home directory (e.g., analyzer: '~/aass-scripts/3layer_scheduler.sh', researcher: '~/aass-scripts/daily_intel.sh', scanner: '~/aass-dataset/secure_dataset.sh'), which are not mentioned in SKILL.md or other documentation and are outside the skill's codebase — this is disproportionate to the described functionality and unexplained.
Instruction Scope
SKILL.md instructs running node agent manager and viewing local data files (samples.json, logs) which is fine. But runtime code extends scope by: executing arbitrary shell scripts in ~ (see analyzer/researcher/scanner), launching background processes with inline shell commands (orchestrator, evolver spawn new agents via exec with '&'), and invoking pgrep to enumerate processes. Those actions read and execute things outside the skill directory and give the skill broad runtime effects beyond simple API scraping and scanning.
Install Mechanism
No install spec (instruction-only install) reduces supply-chain download risk. But this skill includes many JavaScript files that will be placed in the workspace and executed if started — there is no external binary download, which is lower risk than remote installers, but the included code will still spawn processes and run shell commands locally.
Credentials
The skill declares no required environment variables or credentials (appropriate for public registry scraping). That said, it performs network requests to many external endpoints (npm, cnpm, GitHub) and may start scripts in the user's home that could access credentials present there — the code does not request secrets but could execute local shell scripts that read them, which is a potential indirect risk.
Persistence & Privilege
always:false (good). But the orchestrator and evolver intentionally spawn many background Node processes (e.g., startRole uses 'node agents/... > /dev/null 2>&1 &' and evolver executes background nodes in a loop). That grants the skill persistent, multi-process presence and can consume significant system resources or run arbitrary commands (especially combined with execution of home-directory scripts). This persistent process-spawning is more privileged than a simple synchronous skill invocation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install aagent-system - 安装完成后,直接呼叫该 Skill 的名称或使用
/aagent-system触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of aagent-system: a multi-agent automation platform for AI Agent skill sample collection and security research.
- Automates sample collection, malicious code detection, IOC extraction, and rule updates.
- Integrates with npm, GitHub, and ClawHub to gather skill samples.
- Provides command triggers: /aagent start, stop, status, samples.
- Supports multi-process architecture for scalable research and analysis.
- Includes management commands for easy system control.
元数据
常见问题
Aagent System 是什么?
多智能体自动化系统,用于AI Agent技能样本采集、安全扫描、威胁情报收集和研究分析。支持单机多进程架构,可自动采集样本、检测恶意技能、提取IOC、更新规则。触发命令: /aagent start. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 464 次。
如何安装 Aagent System?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install aagent-system」即可一键安装,无需额外配置。
Aagent System 是免费的吗?
是的,Aagent System 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Aagent System 支持哪些平台?
Aagent System 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Aagent System?
由 caidongyun(@caidongyun)开发并维护,当前版本 v1.0.0。
推荐 Skills