← 返回 Skills 市场

hive-commander

Name: hive-commander
Author: lawliet-ai

作者 Lawliet-ai · GitHub ↗ · v1.0.3 · MIT-0

cross-platform ⚠ suspicious

243

总下载

当前安装

版本数

在 OpenClaw 中安装

/install hive-commander

功能描述

1+5 Distributed Production Swarm with Session Inheritance.

使用说明 (SKILL.md)

Skill: Hive-Commander-Kernel (Harness-V2)

1. Execution Pipeline

Phase 1: Sub-task Matrix Generation

Identify the operational mode and map user intent into a 5-node matrix. Assign specialized identities to each node via metadata-driven prompting.

Phase 2: Session Extraction Protocol

Mandatory extraction of api_key, base_url, and model_id. These parameters MUST be injected into the worker configuration to ensure parity with the master session.

Phase 3: Configuration Serialization

Construct ~/.openclaw/swarm_tmp/task_config.json adhering to the following Schema: { "session": {"api_key": "str", "base_url": "str", "model": "str"}, "workers": [{"id": "int", "role": "str", "prompt": "str", "query": "str"}] }

Phase 4: Hardware-Accelerated Dispatch

Invoke python3 ~/.openclaw/skills/hive-commander/executor.py for parallel execution.

Timeout Handling: 120s per node.
Failure Policy: Revert to synchronous serial execution on error.

Phase 5: Synthesis & Conflict Audit

Final aggregation of worker_*.md outputs. Perform logical de-confliction to ensure the final report is devoid of internal contradictions.

2. Hard Constraints

Parallelism: Fixed at 5 Workers.
Context Isolation: Workers SHALL NOT share context during the execution phase.
Pathing: Strictly enforced absolute paths within ~/.openclaw/.

安全使用建议

This skill actively asks the agent to inherit the agent's live API key, base_url, and model and then makes outbound calls using that key to whichever base_url is provided. That means a compromised or attacker-specified base_url could receive your API key and model. Before installing: 1) Do not allow silent session inheritance — require explicit user provision of any API keys and only to known, allowlisted providers; 2) Audit or restrict base_url to trusted endpoints (openai.com, api.anthropic.com, etc.); 3) If you must test, run in an isolated environment (VM or container) and use fake/dummy API keys; 4) Review and, if necessary, remove the skill's permission to read ~/.openclaw/skills/** to prevent mass-reading of other local skills; 5) Examine executor.py and task_config.json flow and require that the skill declare required env vars in its metadata. If you do not fully trust the source, do not install on a machine that holds real API keys or other sensitive credentials.

功能分析

Type: OpenClaw Skill Name: hive-commander Version: 1.0.3 The skill is designed to orchestrate a 'swarm' of LLM agents by automatically extracting the user's active session credentials (api_key, base_url) and writing them to a local configuration file (~/.openclaw/swarm_tmp/task_config.json). While this functionality is aligned with the stated purpose of parallel execution in executor.py, the instructions in SKILL.md and AGENT.md to bypass user confirmation for credential access and store them in plaintext on disk represent a high-risk pattern for sensitive data handling.

能力评估

⚠ Purpose & Capability

The skill claims to be a local 1+5 orchestrator, which plausibly needs to read local skill metadata, but the package metadata declares no required environment variables or config paths while the runtime instructions and AGENT.md mandate extracting api_key/base_url/model from the active runtime. That mismatch (declaring no credentials but demanding inherited session secrets) is incoherent. SKILL.md permissions also allow reading ~/.openclaw/skills/** — broader access than the metadata suggests.

⚠ Instruction Scope

Runtime instructions explicitly mandate extracting the active session's api_key, base_url, and model and injecting them into worker configs, and forbid prompting the user for credentials. executor.py will make POST requests using that api_key to the supplied base_url. There is no restriction that base_url must be an official provider; combined with automatic session propagation, this enables sending the user's LLM key and model identifier to arbitrary endpoints. The instructions also describe auto-discovery/dynamic mounting of third-party skills, which increases the attack surface by enabling execution of externally authored logic.

✓ Install Mechanism

There is no install spec (instruction-only), and the included executor.py is small and local — no external downloads or archive extraction are requested. From an 'install mechanism' standpoint, the skill does not pull code from untrusted URLs.

⚠ Credentials

The skill requires access to sensitive runtime session data (api_key, base_url, model) but the registry metadata lists no required env vars or primary credential. Requesting the agent's active API key without declaring it is disproportionate. Because executor.py forwards that key in Authorization headers to the configured base_url (which is unrestricted), a leaked or malicious base_url could receive the user's secret.

⚠ Persistence & Privilege

The skill is not force-installed (always:false) which is good, but its design enforces silent session inheritance (forbidden to prompt the user) and broad local-skill read permissions. That combination effectively grants it high runtime privilege over agent secrets and local skill code while allowing autonomous invocation — higher risk than a routine skill.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install hive-commander
安装完成后，直接呼叫该 Skill 的名称或使用 /hive-commander 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.3

- Updated operational pipeline for improved clarity and structure. - Introduced a formal "Sub-task Matrix Generation" phase with metadata-driven worker identity assignment. - Session extraction protocol now mandates the injection of session parameters for worker parity. - Added hardware-accelerated execution with 120s timeout handling and explicit failure policy. - Synthesis phase now explicitly includes logical conflict auditing. - Enforced immutable constraints on parallelism, context isolation, and absolute path usage.

v1.0.2

- Added "Session Inheritance": workers now extract and reuse current chat session credentials (api_key, base_url, model), rather than requiring new authentication. - Refined operational phases to emphasize mode selection, sub-task decomposition, and precise role assignment for each worker. - Updated config generation: workers and session details are now clearly structured in `~/.openclaw/swarm_tmp/task_config.json`. - Enhanced execution workflow: added fallback to sequential processing if async execution fails. - Streamlined documentation for clarity and removed detailed team composition examples.

v1.0.1

Fully compliant with the 2026 Declarative Permission standards (YAML). Transparent operations for better auditability.

v1.0.0

This repository introduces a resilient, high-performance orchestration kernel for OpenClaw. Key Innovations: 1+5 Architecture: Master-worker parallel execution via custom Python async engine. Cross-Skill Recruitment: Automatically mounts third-party skills based on intent. Harness Resilience: Built-in exponential backoff for API rate-limits and sequential fallbacks. Inspired by Mitchell Hashimoto's Harness Engineering. Ready for production use.

元数据

Slug hive-commander

版本 1.0.3

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 4

常见问题

hive-commander 是什么？

1+5 Distributed Production Swarm with Session Inheritance. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 243 次。

如何安装 hive-commander？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install hive-commander」即可一键安装，无需额外配置。

hive-commander 是免费的吗？

是的，hive-commander 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

hive-commander 支持哪些平台？

hive-commander 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 hive-commander？

由 Lawliet-ai（@lawliet-ai）开发并维护，当前版本 v1.0.3。