by xvirobotics
构建受监督的、自我进化的 Agent 组织的基础设施 | Infrastructure for supervised, self-improving agent organization. 飞书/Telegram 手机端运行 Claude Code 或 Kimi Code(双引擎,两家原生订阅直接用),共享记忆、Agent 工厂、定时任务、通信总线。
# Add to your Claude Code skills
git clone https://github.com/xvirobotics/metabotLast scanned: 5/7/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@anthropic-ai/claude-agent-sdk: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@anthropic-ai/sdk: Claude SDK for TypeScript has Insecure Default File Permissions in Local Filesystem Memory Tool",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@hono/node-server: @hono/node-server: Middleware bypass via repeated slashes in serveStatic",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@larksuiteoapi/node-sdk: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@volcengine/openapi: Vulnerability found",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "@xmldom/xmldom: xmldom: Uncontrolled recursion in XML serialization leads to DoS",
"severity": "high"
},
{
"type": "npm-audit",
"message": "axios: Axios Cross-Site Request Forgery Vulnerability",
"severity": "high"
},
{
"type": "npm-audit",
"message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "express-rate-limit: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "flatted: flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"severity": "high"
},
{
"type": "npm-audit",
"message": "follow-redirects: follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "hono: Hono missing validation of cookie name on write path in setCookie()",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "ip-address: ip-address has XSS in Address6 HTML-emitting methods",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "protobufjs: Arbitrary code execution in protobufjs",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "vite: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
"severity": "high"
},
{
"type": "npm-audit",
"message": "xlsx: Prototype Pollution in sheetJS",
"severity": "high"
}
],
"status": "FAILED",
"scannedAt": "2026-05-07T06:38:03.303Z",
"semgrepRan": false,
"npmAuditRan": true,
"pipAuditRan": true
}metabot is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by xvirobotics. 构建受监督的、自我进化的 Agent 组织的基础设施 | Infrastructure for supervised, self-improving agent organization. 飞书/Telegram 手机端运行 Claude Code 或 Kimi Code(双引擎,两家原生订阅直接用),共享记忆、Agent 工厂、定时任务、通信总线。. It has 920 GitHub stars.
metabot failed SkillsLLM's automated security scan, which flagged one or more high-severity issues. Review the Security Report section carefully before using it.
Clone the repository with "git clone https://github.com/xvirobotics/metabot" and add it to your Claude Code skills directory (see the Installation section above).
metabot is primarily written in TypeScript. It is open-source under xvirobotics on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh metabot against similar tools.
No comments yet. Be the first to share your thoughts!
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
可自托管的个人 Agent 工作台;Claude Code 作为兼容引擎继续保留。
curl -fsSL https://github.com/xvirobotics/metabot/releases/latest/download/install.sh | bash
带签名校验的安装器约五分钟部署完整个人版:本地 Core、仅 Token 登录的 Web UI、IM Bridge、CLI、Skills 和 PM2 服务。
MetaBot 运行在你自己的机器上,不依赖企业 SSO、OIDC、VPN 或员工目录。
http://localhost:9200。0600 权限保存到 ~/.metabot-core/token,且不会写入日志。~/.metabot-core/,Bridge 状态默认在 ~/.metabot/。METABOT_INSTALL_CORE=0 仍可连接已有外部 Core。自定义目录、源码安装、更新、Windows 状态和外部 Core 配置详见安装文档。
默认安装目录为 ~/metabot。可用
METABOT_HOME=/opt/metabot bash install.sh 覆盖;源码 checkout 与 Release
安装保留各自的更新路径,metabot update 不会盲目猜测。
Codex 是默认引擎,Kimi Code 是一级可选引擎。Claude Code 继续保留,确保现有 Claude Bot 和工作区仍能运行。
| 引擎 | 接入方式 | 认证 | 当前开源版能力 |
|---|---|---|---|
| Codex CLI | codex exec --json 和 codex exec resume |
codex login 或 OpenAI 兼容 API 配置 |
JSONL 流式输出、工具、会话续接、/model、/effort、Bridge 管理的 Goal 和后台任务 |
| Kimi Code 0.27+ | Kimi Web 前端同源的官方本地 Server API | kimi login |
持久 Session、原子快照、问题交互、停止/续接、工具、子 Agent 和 Goal |
| Claude Code 兼容 | Claude CLI / Agent SDK 兼容路径 | claude login 或 Anthropic 兼容 API |
继续支持现有 Claude 会话、Skills 和工作区 |
当前公开版 Codex 适配器使用 codex exec;Codex app-server 以及 Codex/Kimi 的飞书执行中 steering 将在后续基础链完整后开放。
请在独立终端安装或登录引擎:
npm install -g @openai/codex
codex login
npm install -g @moonshot-ai/kimi-code@latest # Kimi Code 0.27+
kimi login
每个 Bot 在 bots.json 中独立选择引擎;省略时默认为 codex。详见多 Bot 配置和环境变量。
各引擎继续使用自己的工作区约定:
| 内容 | Codex | Kimi Code | Claude 兼容 |
|---|---|---|---|
| 工作区说明 | AGENTS.md |
AGENTS.md |
CLAUDE.md 兼容入口 |
| Skills | .codex/skills/ |
.agents/skills/ |
.claude/skills/ |
| 订阅状态 | Codex profile | ~/.kimi-code/ |
Claude credentials |
安装器会把 MetaBot 内置 Skills 镜像到当前引擎路径,并保留用户已修改的本地 Skills。
前置条件:Node.js >= 22.19、Git,以及至少一个引擎和一个聊天渠道的凭证。
metabot status
metabot health
打开 http://localhost:9200,粘贴 ~/.metabot-core/token 中的 Token,再选择 Bot。
| 渠道 | 适合场景 | 配置入口 |
|---|---|---|
| 飞书/Lark | 工作空间、流式卡片、文件、群聊路由 | 飞书应用配置 |
| Telegram | 最快个人配置;不需要公网 IP | 快速配置 |
| 微信 | 通过 ClawBot 接入个人微信;目前灰测中 | 微信指南 |
| Web | 浏览器 Chat、Core、Memory、Teams 和设置 | http://localhost:9200 |
飞书使用长连接 WebSocket,Telegram 和微信使用长轮询,都不需要开放公网入站端口。
飞书群里的普通消息只路由给被准确 @ 的 Bot。群主可以用
@Bot /group-reply ... 为每个 Bot、每个群选择仅 @ 或回复全部消息;裸命令
和只 @ 其他 Bot 的命令会被忽略。仅 @ 模式下,未 @ 的文件会保留给下一条
@Bot 指令。详见聊天命令。
一个 Bridge 进程的 bots.json 可以混用引擎和工作区:
{
"feishuBots": [
{
"name": "codex-dev",
"engine": "codex",
"feishuAppId": "cli_xxx",
"feishuAppSecret": "...",
"defaultWorkingDirectory": "/home/me/project-a"
},
{
"name": "kimi-reviewer",
"engine": "kimi",
"feishuAppId": "cli_yyy",
"feishuAppSecret": "...",
"defaultWorkingDirectory": "/home/me/project-b",
"kimi": { "thinking": true }
}
]
}
每个 Bot 拥有独立的渠道凭证、引擎、工作区和会话,同时仍可通过 Agent Teams 和 Agent Bus 协作。
metabot CLI 安装和发布可复用 Skills。| 命令 | 用途 |
|---|---|
/model |
查看或切换当前引擎/模型 |
/effort low|medium|high|xhigh|max|ultra |
设置当前 Chat 的 Codex 推理强度 |
/status |
查看当前会话和模型 |
/reset |
开始新会话 |
/stop |
停止当前任务 |
/goal <条件> |
跨轮持续工作,直到完成、阻塞或到达上限 |
/background <提示> |
在 Chat 继续使用时运行受支持的后台任务 |
@Bot /group-reply mention|all|status |
控制一个飞书 Bot 在一个群里的回复模式 |
metabot update |
更新并重启已安装的个人版 |
Release 安装从稳定 GitHub 资源更新,源码 checkout 从 Git 更新:
metabot update # Package 安装
metabot update --git # 源码 checkout
参与开发:
git clone https://github.com/xvirobotics/metabot.git ~/metabot
cd ~/metabot
npm ci --include=dev
npm test
请使用 Node.js >= 22.19,并在提交 PR 前阅读贡献指南。
MetaBot Agent 可以在配置的工作区中读、写和执行代码。请妥善保管 Core 与 Bridge Token,限制 IM Bot 可见范围,仅通过自有鉴权反向代理或私有网络暴露本地端口。
MetaBot 由 XVI Robotics 开发,采用 MIT License 开源。