Baton

Name: Baton
Author: entrebear

功能描述

Baton — AI orchestrator for OpenClaw. Routes every request to subagents. Never does work itself.

使用说明 (SKILL.md)

Prime directive: you are the conductor. Never execute work yourself. Every task goes to a subagent.

You handle directly: model selection, onboarding, simple planning (linear/single-domain), basic validation (non-empty, correct format, on-topic), routing, monitoring. Delegate to subagent: complex planning (multi-domain, ambiguous deps), synthesis, complex validation (code/logic/maths/security), complex correction prompts.

Startup

The hard rule in AGENTS.md and startup routine in BOOT.md are installed by scripts/install.sh. If gateway-alive.txt is absent or >90s old, run the startup routine now before handling any request.

Routing

Intent	Action
"dry run"/"show plan"	Plan only, show, ask to proceed
"schedule"/"every X"	Plan → cron (references/orchestration.md)
"redo"/"find task"	--search → --rerun
"status"/"working on"	--status --agent \x3CmyAgentId>
"all status"	--all-status (elevated only)
else	Decompose and Execute

Model Registry

openclaw.json models.providers — custom providers (baseUrl, contextWindow, cost, full metadata)
openclaw.json agents.defaults.models / agents.list[].models — auth-system models (OAuth, API key profiles)
openclaw models list --json — fills auth status and gaps for built-in providers
agents/\x3Cid>/agent/models.json — agent-scoped overrides

Sources 1 and 2 read directly from config. Source 3 is authoritative for auth status. Spawning to targetAgent: only use models available to that agent.

Model Selection

Classify: lookup/transform/code/reasoning/creative/agentic. long-doc (>50K→100K+ ctx), multimodal.
agent-policies.json: remove disabled/task-restricted/agent-restricted.
requiredTokens = estimatedInputTokens+2000. Exclude >ctx×0.8. Downgrade tier if >ctx×0.5.
--compute-headroom \x3Cprovider/model-id>. Exclude ≤0. needsRefresh→--probe-provider \x3Cid> --live.
Score:

Tier	Unlimited	Speed	Headroom
1	yes	fast	∞
2	yes	medium	∞
3	no	fast	>50%
4	no	fast	>0%
5	no	medium	>50%
6	no	medium	>0%
7	no	slow	>0%

Within tier: capability match > context pressure > headroom ratio > currentLoad (all agents) > p50Ms > cost > round-robin provider. preferModels[] boosts to tier top. Announce: → [alias] ([provider/model]) — [speed, headroom%, ctx%, capability]

Decompose and Execute

Simple task (single domain, linear, obvious): plan yourself → --create '\x3Cjson>' → spawn workers. Complex task: spawn Planner (reasoning model, cleanup:"delete") → receive task JSON → --create → spawn workers. See references/orchestration.md for Planner prompt.

Spawn each ready subtask:

sessions_spawn(task, model, runTimeoutSeconds, cleanup:"delete")  // omit agentId — spawns under THIS agent by default

Timeouts(s): lookup/transform=45, code=120, complex-code=300, reasoning=180, agentic=600, agentic-long=1800. Only add agentId to the spawn call when subtask.targetAgent is explicitly set — never otherwise. Default (no agentId) always spawns under the calling agent. After spawn: update task file (status,sessionKey,sessionId,transcriptPath,model,attempts++), record rate-limit request, verify model via sessions_list. Rounds parallel within dependency level. Priority: urgent>normal>background, auto-boost after 10min.

Validation on completion: basic check yourself (non-empty, format, on-topic). Code/logic/maths/security → spawn Validator (reasoning, cleanup:"delete"). pass→continue, partial/fail→Retry. All subtasks terminal → spawn Synthesiser (cleanup:"delete"). Never synthesise yourself. Archive. See references/orchestration.md.

Retry

Simple failure: build correction prompt yourself, respawn. Complex failure: spawn Corrector (reasoning, cleanup:"delete"). Attempt 1: same model. Attempt 2: stronger reasoning model. Attempt 3: strongest, simplified prompt. After 3: report to user. See references/resilience.md.

Status

--status --agent \x3CagentId> — this agent only. --all-status — elevated only. Check: openclaw agent status --json | grep -q '"elevated":true'.

Budget

budgetCap: estimate at planning (Σ tokens×cost/1e6). Warn 80%, pause 100%. references/resilience.md.

References

references/orchestration.md references/onboarding-guide.md references/resilience.md references/task-schema.md references/task-types.md references/model-profiles.md scripts/probe-limits.js scripts/task-manager.js scripts/provider-probes.json

安全使用建议

This skill is plausible as an orchestrator, but it requests and installs persistent, high‑privilege changes that merit caution. Before installing: (1) verify the skill author's identity and provenance (source is unknown); (2) inspect and run the install script and the two node scripts (probe-limits.js and task-manager.js) line-by-line in a safe environment; (3) back up AGENTS.md and BOOT.md and plan how to revert changes (install.sh will prepend/append to them and may restart the gateway); (4) confirm you are comfortable with the skill having read:env and exec:scripts permissions — consider limiting environment access or running in an isolated instance; (5) ensure the consent flow in BOOT.md is acceptable (it claims to request consent before probing keys) and test that it actually halts if consent is denied; (6) if you cannot verify provenance, run this skill only in a sandboxed or non-production OpenClaw instance. Because always:true + env access + startup modification is a risky combination, proceed only after manual review and testing.

功能分析

Type: OpenClaw Skill Name: baton Version: 1.0.7 Baton is an orchestrator that employs aggressive persistence and behavioral modification techniques. The `scripts/install.sh` script prepends 'hard rules' to the global `AGENTS.md` to hijack the agent's persona and modifies `BOOT.md` to ensure its logic executes on every gateway restart. It also schedules a one-shot cron job and forces a gateway restart to apply these changes. While `scripts/probe-limits.js` includes sanitization logic to prevent API keys from appearing in logs, the script's ability to resolve raw credentials from `openclaw.json` and use them in outbound HTTP requests (via `fetch`) represents a high-risk capability, especially when combined with the persona-locking instructions in `SKILL.md` and `AGENTS.md`.

能力评估

ℹ Purpose & Capability

The declared purpose — an orchestrator that routes work to subagents — matches most of the included files (planners, task manager, probe scripts, orchestration docs). Creating baton state directories, building a model registry, and probing provider rate limits are coherent with model routing. However, the installer also prepends a hard rule into AGENTS.md and writes BOOT.md to enforce startup behavior; these are stronger system‑level changes than a typical routing helper and deserve explicit justification.

⚠ Instruction Scope

SKILL.md and BOOT.md instruct the agent to run startup routines, probe openclaw.json and agent models, resume incomplete tasks, and run node scripts that read config and resolve API keys. The instructions also require creating and modifying global files (AGENTS.md, BOOT.md), scheduling a boot job, and possibly restarting the gateway. Those steps go beyond simply delegating tasks and grant the skill broad discretion to run code and change agent/system startup behavior.

⚠ Install Mechanism

There is no remote download, but scripts/install.sh performs persistent changes: it writes/appends/prepends to AGENTS.md and BOOT.md, creates directories in ~/.openclaw, invokes node scripts (probe-limits.js) and attempts to schedule a cron job via the gateway and restart the gateway. Local install scripts that change agent startup config and auto-restart services are higher-risk even when bundled with the skill.

⚠ Credentials

The skill metadata requests read:env and the probe script resolves API keys from environment variables or config to query provider rate-limit endpoints. While probing provider limits is reasonable for a router, asking for broad env reads (no per-variable scoping) and always being present increases risk of accidental exposure of unrelated secrets. The skill does not declare specific required API keys but the code will attempt to resolve any hinted env vars and may access openclaw.json provider entries.

⚠ Persistence & Privilege

The registry flags include always:true, and the installer forcibly injects a 'HARD RULE' into AGENTS.md and a BOOT.md entry that runs on gateway restart. The install also schedules a one-shot boot job and attempts to restart the gateway. always:true combined with the ability to modify agent startup and read environment/config is a powerful persistent privilege and increases the blast radius of any bug or malicious behavior.

版本历史

v1.0.7

- Added package.json to define package metadata and dependencies. - No changes to skill logic or orchestration behavior.

v1.0.5

- Added installation script: scripts/install.sh - Clarified that AGENTS.md (hard rule) and BOOT.md (startup routine) are installed by install.sh - Updated Startup instructions to reference install script and clarify startup process triggers - No changes to core orchestration or agent behavior

v1.0.4

- Clarified worker spawning behavior: Only include agentId in sessions_spawn when subtask.targetAgent is explicitly set; otherwise, always spawn under the calling agent. - Updated code example in Decompose and Execute section to reflect this default spawning logic. - Emphasized never to add agentId unless overridden in the subtask. - No other changes; all workflows and permissions remain the same.

v1.0.3

- Improved model registry logic: now uses openclaw.json for provider metadata and agent model lists, with clearer sourcing and auth status handling. - Clarified registry priority: built-in, config, and agent-scoped model sources are now explicitly described and ordered. - No functional changes to orchestration or execution flow. - Documentation is now more explicit about how model availability and overrides are determined.

v1.0.2

- Startup logic is now handled by a new BOOT.md file; startup checks must run before any request if not already done. - Updated metadata to include required config keys and permissions. - Added a new requirement: only handle requests if startup process completed recently (gateway-alive.txt check). - No other major logic changes.

v1.0.0

Baton 1.0.0 – Launch of AI Orchestrator for OpenClaw - Introduces baton as a pure orchestrator: routes all requests to subagents, never performs work directly. - Handles model selection, onboarding, basic task planning/validation, and intelligent routing. - Delegates complex planning, validation, correction, and synthesis to subagents. - Provides detailed routing, startup, model registry, and execution procedures. - Implements budget tracking, task retries, escalation, and status reporting. - Extensive reference documentation for orchestration, onboarding, resilience, and more.

元数据

Slug baton

版本 1.0.7

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 6

常见问题

Baton 是什么？

Baton — AI orchestrator for OpenClaw. Routes every request to subagents. Never does work itself. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 241 次。

如何安装 Baton？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install baton」即可一键安装，无需额外配置。

Baton 是免费的吗？

是的，Baton 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Baton 支持哪些平台？

Baton 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Baton？

由 Entrebear（@entrebear）开发并维护，当前版本 v1.0.7。