← 返回 Skills 市场
823
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install task-orchestra
功能描述
Coordinate multiple agents and tasks for complex workflows. Orchestrate subagents, manage dependencies, handle parallel execution, and ensure successful comp...
安全使用建议
This skill's described orchestration features are plausible, but several inconsistencies suggest caution:
- Ask the publisher (or repository) why BRAVE_API_KEY is required and what it's used for; do not provide sensitive tokens until that is explained.
- Confirm why an npm 'async' package and an 'async' binary are installed — that package is normally a JS library, not a CLI. If you must install it, review the exact package and its maintainer and audit the package contents in a sandbox first.
- Because the skill can spawn and steer subagents, run it in a restricted/sandboxed environment and limit its privileges on first use.
- Prefer skills with a verifiable source/homepage and code you can inspect; this skill has no source URL or code files.
If you cannot get a clear explanation for the BRAVE_API_KEY and the odd install spec, treat this skill as untrusted and avoid installing it or set it up in an isolated test environment only.
功能分析
Type: OpenClaw Skill
Name: task-orchestra
Version: 1.0.0
The skill 'task-orchestra' is classified as suspicious due to its powerful capabilities that, while aligned with its stated purpose of agent orchestration, present significant security risks. It requires access to `curl` and `jq` (enabling network and shell command execution) and the `BRAVE_API_KEY` environment variable (access to a secret). Crucially, the skill instructs the agent on how to spawn, steer, and kill subagents (`sessions_spawn`, `sessions_send`, `subagents kill`, `subagents steer`), which are powerful primitives that could be leveraged for unauthorized actions or data exfiltration if the agent receives malicious prompts. While there are no explicit instructions for malicious behavior within the `SKILL.md` itself, the combination of broad permissions and powerful execution capabilities makes it a high-risk component.
能力评估
Purpose & Capability
The skill claims to coordinate subagents and manage workflows — that aligns with the SKILL.md instructions. However, the declared required environment variable (BRAVE_API_KEY) is unrelated to orchestration and is never referenced in the instructions. The install spec asks for an npm package 'async' and declares it creates a binary named 'async' (the npm 'async' package is a JS library, not a CLI binary). These requirements do not match the stated purpose and are disproportionate or unexplained.
Instruction Scope
The SKILL.md is instruction-only and stays within orchestration concerns (spawn/monitor/kill subagents, dependency resolution, templates). It is quite high-level and grants broad discretion to spawn and manage subagents (including 'self-evolution' uses), which is powerful but consistent with an orchestration skill. The instructions do not reference BRAVE_API_KEY, curl/jq usage, or any external endpoints, and they are vague in ways that could enable wide-ranging agent behavior if the agent platform honors commands like sessions_spawn and subagents kill/steer.
Install Mechanism
An npm install entry is present for package 'async' that purportedly creates a binary 'async'. This is inconsistent: 'async' on npm is a JS library (not a known CLI), and the skill contains no code files that would need that dependency. Installing arbitrary npm packages can introduce supply-chain risk; here the install requirement appears unnecessary or malformed.
Credentials
The skill requires BRAVE_API_KEY but the SKILL.md contains no instructions that use Brave or any external search/API requiring that key. Requiring a secret-like environment variable without justification is disproportionate. No primary credential is declared, and no other env/config paths are requested.
Persistence & Privilege
The skill does not request always:true, does not declare system config paths, and is user-invocable only. That is a normal privilege profile. Note: the functional ability to spawn and manage subagents (per the instructions) is powerful — review platform-level permissions for spawning agents before enabling.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install task-orchestra - 安装完成后,直接呼叫该 Skill 的名称或使用
/task-orchestra触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of task-orchestra skill.
- Coordinate multiple agents and tasks for complex, multi-step workflows.
- Manage task dependencies, parallel execution, and agent orchestration.
- Provides built-in patterns for sequential, parallel, and pipeline execution.
- Robust workflow management including error handling, state tracking, and recovery.
- Supports spawning, supervising, and communicating with subagents.
- Includes workflow templates for research, content creation, and software development.
元数据
常见问题
Task Orchestra 是什么?
Coordinate multiple agents and tasks for complex workflows. Orchestrate subagents, manage dependencies, handle parallel execution, and ensure successful comp... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 823 次。
如何安装 Task Orchestra?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install task-orchestra」即可一键安装,无需额外配置。
Task Orchestra 是免费的吗?
是的,Task Orchestra 完全免费(开源免费),可自由下载、安装和使用。
Task Orchestra 支持哪些平台?
Task Orchestra 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Task Orchestra?
由 tobisamaa(@tobisamaa)开发并维护,当前版本 v1.0.0。
推荐 Skills