功能描述

Orchestrates external AI planners by validating, scheduling, executing tools, enforcing budgets, and providing replayable telemetry for plans and runs.

使用说明 (SKILL.md)

Agent Manager skill

Name: Agent-manager-for-AI-planner
Author: nonightwatch

What this file is for

This file is a concise integration contract for AI tool callers and gateway implementers.

This skill.md is a compact integration guide for Clawhub and other AI clients.

Agent Manager is an orchestration kernel for external AI planners. External AI builds plans, and Agent Manager validates, schedules, executes tools, enforces budgets, and provides replayable telemetry.

Authentication

Use X-Run-Token for owner attribution and optional access control.

REQUIRE_RUN_TOKEN=1 enables token enforcement.
RUN_TOKENS contains allowed token values.

Example header:

X-Run-Token: tenant-a

Capability discovery and endpoint map

Start with:

GET /v1/capabilities
GET /v1/provider-adapter/schema

Core endpoints:

POST /v1/plan (validate plus recommendations)
POST /v1/plan/validate
POST /v1/plan/generate
POST /v1/run
POST /v1/run/sync
GET /v1/run/:id
GET /v1/run/:id/events?after=
GET /v1/run/:id/stream
GET /v1/run/:id/replay
GET /v1/run/:id/report (if enabled)
GET /v1/runs
POST /v1/run/:id/cancel
POST /v1/run/:id/task/:name/inject
POST /v1/tools/register (only when enabled)

Provider selection

Provider choice follows this order:

task.provider_id
run.options.provider_id
DEFAULT_PROVIDER_ID
mock

Read provider availability from capabilities.llm_providers.providers and capabilities.llm_providers.default_provider_id.

Recommended client flow

GET /v1/capabilities
POST /v1/plan with { plan, options }
POST /v1/run (async) or POST /v1/run/sync
Stream with GET /v1/run/:id/stream or poll GET /v1/run/:id/events?after=\x3Cseq>
Read final run from GET /v1/run/:id
Export replay from GET /v1/run/:id/replay
Use POST /v1/run/:id/task/:name/inject for deterministic overrides when needed

Tool-calling protocol rule

When a provider returns tool_calls, Agent Manager appends exactly one role="tool" message for each tool_call_id before the next provider round.

This prevents protocol errors in model APIs.

SSE reliability and resume

GET /v1/run/:id/stream sends event id from event sequence numbers.

Resume with Last-Event-ID header or ?after= query.
If idle and run is non-terminal, heartbeat comments are emitted:

: ping

Heartbeat interval uses SSE_HEARTBEAT_MS (default 15000).

Event types

Common emitted event types include:

task_start, task_end, task_retry
tool_call_requested, tool_call_start, tool_call_end, tool_call_failed, tool_call_started, tool_call_finished
llm_step_start, llm_step_tool_calls, llm_step_final
llm_round_start, llm_round_tool_calls, llm_round_final
budget_violation, fallback_start, fallback_end
run_complete, run_cancel_requested
dependency_truncated, artifact_limit

Replay and report data

GET /v1/run/:id/replay returns stable replay JSON:

{
  "run": { "id": "run_123", "created_at": 1700000000000, "status": "succeeded" },
  "plan_digest": "sha256:...",
  "events": [{ "seq": 1, "type": "task_start", "run_id": "run_123" }],
  "results_index": { "task_a": { "digest_hash": "sha256:..." } }
}

Run cost attribution is exposed per task in run.metrics.cost_breakdown:

{
  "metrics": {
    "cost_breakdown": {
      "task_a": {
        "cost_est": 0.0021,
        "tier": "cheap",
        "tool_calls": 1
      }
    }
  }
}

HTTP callback tools and timeout enforcement

Callback tools use callback_url and enforce ToolSpec.timeout_ms.

The execution signal combines run abort plus timeout. On timeout, tool result is structured with error_code as TOOL_TIMEOUT and retryable: true.

Provider adapter contract

Use GET /v1/provider-adapter/schema to fetch schema_version, request and response schemas, and examples for your gateway implementation.

Outbound security defaults

Outbound traffic is blocked by default until allowlists are configured.

Provider and gateway calls require OUTBOUND_ALLOWLIST.
Callback tools require TOOL_CALLBACK_ALLOWLIST.
IP literal hostnames and redirect chains are blocked.

Telemetry redaction

Enable REDACT_TELEMETRY=1 with mode hash or truncate to redact sensitive event and replay fields for shared deployments.

Environment variables

This service uses validated configuration from src/config.ts. Critical outbound controls: OUTBOUND_HOST_ALLOWLIST, OUTBOUND_ALLOW_ALL, ALLOW_INSECURE_HTTP, TOOL_CALLBACK_ALLOWLIST, MAX_PROVIDER_REQUEST_BYTES, MAX_TOOL_CALLBACK_REQUEST_BYTES, and redaction flags.

Outbound data disclosure

When gateway or callback tools are enabled, task inputs, dependency payloads, and tool payloads may be sent outbound to allowed destinations. Keep allowlists strict in shared deployments.

安全使用建议

What to consider before installing/running this skill: - Metadata mismatch: although the registry lists no required env vars and says 'instruction-only', the archive includes a full Node.js service (package.json, src/, tests). Treat it as executable code — review the source and run it in an isolated environment first. - Secrets and API keys: the service accepts provider keys (GATEWAY_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY) and per-tool auth via TOOL_AUTH_<REF>. Only set the minimum keys you need and avoid placing high-privilege secrets in the skill's environment. - Outbound network risk: the server can make outbound HTTP requests for providers and callback tools. By default outbound is blocked until you configure allowlists, but misconfiguration (OUTBOUND_ALLOW_ALL=true or overly broad OUTBOUND_ALLOWLIST/OUTBOUND_HOST_ALLOWLIST or TOOL_CALLBACK_ALLOWLIST) could permit exfiltration of task inputs/artifacts. Keep allowlists strict and prefer explicit host entries. - Enable access controls: set REQUIRE_RUN_TOKEN=1 and populate RUN_TOKENS to avoid anonymous runs in shared deployments. Disable tool registration (ENABLE_TOOL_REGISTER/ENABLE_TOOL_REGISTRATION) unless you need it and trust registrants. - Telemetry: enable REDACT_TELEMETRY (mode hash or truncate) if you will share replay/report artifacts outside a trusted environment. - Run in isolated environment first: build and exercise tests (npm ci; npm run test) and run behind a firewall or in an isolated network to verify outbound behavior and that private addresses are blocked as expected. If you want, I can: - flag the exact files/lines that reference sensitive env vars and external network calls, - produce a short checklist of environment settings to safely deploy in production, - or extract the code paths that perform outbound resolution and tool callback invocation for deeper review.

功能分析

Type: OpenClaw Skill Name: agentmanager Version: 1.0.2 The OpenClaw AgentSkills skill bundle is classified as benign. The code demonstrates a strong focus on security, particularly in `src/lib/safe-fetch.ts`, `src/security/outbound-policy.ts`, and `src/services/tools.ts`. Outbound network calls are strictly controlled by default, requiring explicit allowlists and blocking IP literals, private addresses, and redirects. Built-in tools like `js_eval` are robustly sandboxed to arithmetic-only expressions, and `file_store` prevents path traversal. The `skill.md` file serves as API documentation and does not contain any prompt injection attempts or instructions for an AI agent to perform unauthorized actions. While the system offers configurable options that could weaken security if misconfigured (e.g., `OUTBOUND_ALLOW_ALL=1`, `ALLOW_INSECURE_HTTP_TOOLS=1`), these are configuration risks rather than evidence of intentional malicious design within the skill bundle itself.

能力评估

ℹ Purpose & Capability

The code and SKILL.md implement an orchestration API (plan, run, events, replay, provider adapters, tool callbacks) consistent with the name/description. However the registry metadata states 'required env vars: none' and 'instruction-only', while the package contains a full Node/TypeScript server and numerous configurable environment variables (GATEWAY_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY, OUTBOUND_ALLOWLIST, TOOL_AUTH_*, etc.). This mismatch between metadata and the code/bundle is an incoherence the user should be aware of.

✓ Instruction Scope

SKILL.md is narrowly scoped to the service's API and operational guidance (endpoints, token header X-Run-Token, allowlists, redaction). It does not instruct the agent to read unrelated local files or exfiltrate secrets. The documentation explicitly warns that task inputs/artifacts may be sent outbound when gateways or callback tools are enabled.

⚠ Install Mechanism

The registry claims 'No install spec / instruction-only', but the bundle contains full source, package.json, and tests. There is no declared install script in the skill manifest; installing/running will require npm (node >= 20) and will write/execute code locally. The absence of an explicit install step in metadata while shipping executable code is an inconsistency worth flagging.

ℹ Credentials

The service legitimately exposes many configuration variables for providers, allowlists, timeouts, and redaction (GATEWAY_URL, GATEWAY_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY, OUTBOUND_ALLOWLIST, TOOL_CALLBACK_ALLOWLIST, TOOL_AUTH_<ref>, etc.). These are proportionate to an orchestration gateway, but the registry metadata does not declare them as required. Because the service can forward task inputs to external hosts (when allowlisted), any provider API keys or TOOL_AUTH_* secrets set in the environment could be used by the service — ensure only minimal needed credentials are provided and that permissive allowlist flags (OUTBOUND_ALLOW_ALL) are disabled in production.

✓ Persistence & Privilege

The skill does not request 'always: true' and does not modify other skills' configs. It persists runs only if configured (PERSIST_RUNS) and exposes standard API controls for token enforcement. Autonomous invocation is allowed by platform default but not uniquely elevated here.

版本历史

v1.0.2

- Added new core modules: `src/config.ts` for validated configuration and `src/lib/safe-fetch.ts` for safe network requests. - Introduced basic tests for provider gateway and safe fetch logic (`tests/gateway-provider.test.ts`, `tests/safe-fetch.test.ts`). - Updated documentation to clarify environment variable requirements and outbound data handling.

v1.0.1

Summary: Adds provider adapter contract schema, outbound security defaults, telemetry redaction, and several security enhancements. - Introduced `/v1/provider-adapter/schema` endpoint for gateway implementors. - Outbound network access is now blocked by default; requires allowlist configuration for providers, gateways, and callback tools. - Added support for telemetry redaction via the `REDACT_TELEMETRY` environment variable. - Updated provider selection documentation and improved capability reporting. - Security hardening: blocks IP literal hostnames and unsafe redirects. - Expanded documentation (SKILL.md) to cover new features and security requirements.

v1.0.0

Initial release of Agent Manager: orchestration kernel for AI planners. - Supports authentication with `X-Run-Token` and configurable token enforcement. - Provides endpoints for plan validation, run execution (async/sync), event streaming, replay, and reporting. - Enables provider selection and dynamic capability discovery. - Implements reliable SSE event streaming with heartbeat and resume support. - Details emitted event types, replay data structure, and cost attribution. - Supports HTTP callback tools with structured timeout enforcement.

元数据

Slug agentmanager

版本 1.0.2

许可证 —

累计安装 1

当前安装数 1

历史版本数 3

常见问题

Agent-manager-for-AI-planner 是什么？

Orchestrates external AI planners by validating, scheduling, executing tools, enforcing budgets, and providing replayable telemetry for plans and runs. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 732 次。

如何安装 Agent-manager-for-AI-planner？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install agentmanager」即可一键安装，无需额外配置。

Agent-manager-for-AI-planner 是免费的吗？

是的，Agent-manager-for-AI-planner 完全免费（开源免费），可自由下载、安装和使用。

Agent-manager-for-AI-planner 支持哪些平台？

Agent-manager-for-AI-planner 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Agent-manager-for-AI-planner？

由 NoNightWatch（@nonightwatch）开发并维护，当前版本 v1.0.2。

Agent-manager-for-AI-planner