← 返回 Skills 市场
React Orchestrator
作者
yuyonghao-123
· GitHub ↗
· v0.1.0
· MIT-0
139
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install yuyonghao-react-orchestrator
功能描述
基于 ReAct 框架的双系统 AI 协调器,自动评估任务复杂度,智能切换快速执行和深度推理模式,支持多工具协作。
安全使用建议
This skill appears to implement the advertised ReAct orchestration and includes helpful features (HITL, Code Mode, tool registry). However:
- The package metadata lists no required env vars, but the code and examples reference TAVILY_API_KEY and call external APIs; treat these as optional integrations but be explicit about what you set. Do not expose sensitive env vars unless you trust the skill.
- The Code Mode will write temp files and spawn child processes (node and PowerShell). That means it can read/write filesystem paths and execute arbitrary code — run in an isolated environment (container/VM) if you are unsure.
- Built-in templates include file-read and file-write operations. Enable and configure HITL (requireApproval for file-write / execute-command) before letting the orchestrator act on your behalf.
- package.json is minimal (only zod). The code references modules (e.g., 'tavily-search') not declared as dependencies; inspect and install required third‑party libs yourself from trusted sources.
- If you plan to use networked features or the A2A functionality later, audit any networking endpoints and consider firewalling the runtime or limiting outbound access.
If you want to proceed, run it in a sandbox, enable HITL approvals for dangerous operations, and avoid supplying real secrets (API keys, cloud credentials) until you have audited templates and tool implementations. If anything is unclear, ask the author to add explicit metadata listing required env vars, external endpoints, and a dependency list.
功能分析
Type: OpenClaw Skill
Name: yuyonghao-react-orchestrator
Version: 0.1.0
The bundle implements a 'Code Mode' feature in `src/code-mode.js` that converts tool calls into executable JavaScript or PowerShell code, which is then run locally using `child_process.spawn`. This creates a significant Remote Code Execution (RCE) surface, especially as it includes built-in templates for file system operations and executes PowerShell with `-ExecutionPolicy Bypass`. While this is presented as a token-optimization feature and lacks explicit evidence of malicious intent (such as hardcoded exfiltration or backdoors), the capability to generate and execute arbitrary code based on LLM-provided parameters is inherently high-risk.
能力评估
Purpose & Capability
The code and docs implement the stated dual-system ReAct orchestrator, tool registry, Code Mode and HITL features — which is coherent with the skill description. However the code references third‑party integrations (e.g., require('tavily-search') templates, calls to https://api.tavily.com) and environment variables (process.env.TAVILY_API_KEY) even though the skill metadata lists no required env vars or external dependencies. That mismatch should be clarified.
Instruction Scope
SKILL.md instructs registering and invoking tools, including examples that read/write files and call network APIs. The repository contains templates and runtime that will read arbitrary file paths, write files, spawn Node/PowerShell subprocesses, and make outbound HTTP requests. These behaviors go beyond simple 'reasoning' and require explicit user consent and configuration; the runtime instructions do not enumerate these risks or required safeguards.
Install Mechanism
There is no external download/install spec (instruction-only / local npm package). That lowers supply‑chain risk. However package.json only lists 'zod' while code expects other modules (e.g., 'tavily-search') in templates — users must install or provide those dependencies manually. The skill writes temporary files and spawns child processes, but those actions are implemented locally (no remote install URL).
Credentials
Registry metadata declares no required environment variables, yet code and examples reference process.env.TAVILY_API_KEY and other env usage (templates and examples). Child processes are started with env: {...process.env}, so any environment secrets available to the host would be visible to executed code. The skill therefore has the ability to access environment secrets even though none are declared — this is a proportionality and disclosure concern.
Persistence & Privilege
The skill is not marked always:true and doesn't request persistent system-wide privileges. It does create temporary files in the OS temp directory and spawns processes (node, powershell.exe). Those runtime privileges are significant but consistent with the Code Mode feature; ensure you run it where executing arbitrary code and PowerShell is acceptable.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install yuyonghao-react-orchestrator - 安装完成后,直接呼叫该 Skill 的名称或使用
/yuyonghao-react-orchestrator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release with dual-system ReAct agent framework and Reflexion mechanism.
- Introduces System 1 (fast execution) and System 2 (deep reasoning) with automatic mode switching based on task complexity.
- Implements ReAct reasoning loop and periodic Reflexion for self-correction.
- Includes centralized tool registry with automatic tool matching and timeout controls.
- Provides full task execution history for auditing and debugging.
- Offers configuration options, extensive API documentation, and basic test coverage.
元数据
常见问题
React Orchestrator 是什么?
基于 ReAct 框架的双系统 AI 协调器,自动评估任务复杂度,智能切换快速执行和深度推理模式,支持多工具协作。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 139 次。
如何安装 React Orchestrator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install yuyonghao-react-orchestrator」即可一键安装,无需额外配置。
React Orchestrator 是免费的吗?
是的,React Orchestrator 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
React Orchestrator 支持哪些平台?
React Orchestrator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 React Orchestrator?
由 yuyonghao-123(@yuyonghao-123)开发并维护,当前版本 v0.1.0。
推荐 Skills