← 返回 Skills 市场
taichi
作者
Indivisible
· GitHub ↗
· v2.1.0
· MIT-0
80
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install taichi
功能描述
太极架构多 Agent 协作框架,支持集中式、分布式,元混合三种执行模式。基于 Redis 消息总线,实现 Planner/Drafter/Validator/Dispatcher 四个阶段的工作流。
安全使用建议
This package appears to be what it says: a Redis-based multi-agent orchestration framework. Before installing: (1) review configs/configs/skills/manifest.yaml and configs/communication.yaml to ensure allowed_commands and permission rules are strict; (2) inspect install.sh and start.sh and run them in an isolated environment or container (do not run as root); (3) secure Redis (bind to localhost or require AUTH) to avoid exposing the message bus; (4) be aware that tasks can cause the framework to run shell commands — template substitution is simple string replacement and commands are executed via the shell, so untrusted task input or a lax skill manifest can lead to command injection or arbitrary command execution; (5) if you will accept tasks from external/untrusted sources, harden the allowed_commands whitelist and/or use non-shell executors. If you want a more thorough risk assessment, provide the contents of configs/skills/manifest.yaml and configs/communication.yaml and the orchestrator invocation options.
功能分析
Type: OpenClaw Skill
Name: taichi
Version: 2.1.0
The 'Taichi Framework' bundle contains a critical Remote Code Execution (RCE) vulnerability due to unsafe command execution in 'taichi-framework/core/skills/skill_executor.py'. The 'bash_executor' skill defined in 'taichi-framework/configs/skills/manifest.yaml' uses a template that performs simple string substitution of user-controlled parameters into a shell command. The associated whitelist check is flawed as it only validates the first word of the resulting command string (using shlex.split), which can be easily bypassed using command chaining characters like ';' or '&&'. This vulnerability is reachable through the framework's standard multi-agent workflow, where input from the PlannerAgent is passed to the DrafterAgent and eventually executed by a worker.
能力评估
Purpose & Capability
Name/description (multi-agent orchestration using Redis) match the shipped code and SKILL.md: orchestrator, CentralizedBus/DistributedBus, Agent classes, Worker implementations, configs and a skill manifest are present. There are no unrelated credentials, binaries, or external downloads requested. One minor inconsistency: registry metadata listed this as 'instruction-only' but the package includes full source and install scripts (not a security problem by itself, but worth noticing).
Instruction Scope
SKILL.md instructs running the framework in a venv and requires Redis — that's coherent. However the framework's SkillExecutor executes commands via asyncio.create_subprocess_shell with naive template substitution (string replace) and only a first-word whitelist check. Because commands are executed through the shell, poorly configured skill manifests or untrusted task parameters could enable shell injection or arbitrary command execution. The runtime also reads permission files and YAML manifests from the package; verify those before use.
Install Mechanism
No network download install spec in registry; code includes local install.sh and venv-based installation that will pip-install pinned requirements.txt. No remote archive downloads or obscure URLs present in the provided files.
Credentials
The package does not require external credentials or environment variables in registry metadata. It expects a reachable Redis instance and local venv — which is proportional to a Redis-based orchestration framework. Note: if your Redis requires authentication you will need to supply credentials in config; the skill does not itself request cloud/secret env vars.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges or modify other skills. It persists runtime state to a local workspace and SQLite DB (expected for orchestration) and can run autonomously (default), which is the platform norm.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install taichi - 安装完成后,直接呼叫该 Skill 的名称或使用
/taichi触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.1.0
Taichi 2.1.0 introduces a flexible multi-agent workflow framework with multiple execution modes:
- Supports centralized, distributed, and hybrid (meta-mixed) execution modes for various task scenarios.
- Implements a four-stage workflow: Planner, Drafter, Validator, Dispatcher, using a Redis message bus.
- Provides easy command-line usage examples for each mode.
- Updated documentation with mode descriptions, commands, and prerequisites.
- Requires a running Redis server and Python virtual environment.
元数据
常见问题
taichi 是什么?
太极架构多 Agent 协作框架,支持集中式、分布式,元混合三种执行模式。基于 Redis 消息总线,实现 Planner/Drafter/Validator/Dispatcher 四个阶段的工作流。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 80 次。
如何安装 taichi?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install taichi」即可一键安装,无需额外配置。
taichi 是免费的吗?
是的,taichi 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
taichi 支持哪些平台?
taichi 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 taichi?
由 Indivisible(@indivisible2025)开发并维护,当前版本 v2.1.0。
推荐 Skills