toolsSource-backedReview first Safety ✓ Privacy ✓

AG2 Agent Framework

Open-source Python AgentOS and multi-agent framework, evolved from AutoGen, for building conversable agents, group chats, swarms, human-in-the-loop workflows, tool use, RAG, code execution, and provider-backed agent systems.

by AG2·added 2026-06-18·

CLI

HarnessCLI

Review first — review before installing

Open the source and read safety notes before installing.

Safety notes

AG2 agents can converse, call tools, execute code, use retrieval systems, run browser workflows, and coordinate group chats; require explicit permissions and approval gates for high-impact actions.
The upstream install docs and examples commonly involve provider credentials; keep API keys, config files, notebooks, and `.env` files out of commits and support tickets.
Code execution, Docker, Jupyter, browser-use, and RAG extras can touch local files, network services, notebooks, databases, and external websites; scope them tightly before granting agent access.
Multi-agent conversations can continue through nested chats, swarms, group chats, and custom reply handlers; define termination, escalation, retry, and human takeover behavior.
Track the release roadmap before upgrading because deprecations and the v1.0 transition can change which APIs should be used for new work.

Privacy notes

Prompts, messages, tool arguments, tool outputs, code snippets, notebook state, retrieved documents, vector-store contents, provider responses, traces, and execution logs may contain sensitive user or workspace data.
Do not expose secrets, API keys, private file paths, customer records, internal documents, database rows, or raw exceptions through agent messages, logs, notebooks, screenshots, or public examples.
Provider extras and retrieval integrations can route data through OpenAI, Anthropic, Google, AWS, local model servers, databases, vector stores, browser automation, or other third-party services.
If AG2 is used for code execution or browser automation, define which files, domains, credentials, downloads, screenshots, and logs can be read or retained.

Prerequisites

Python 3.10 or newer and a Python environment managed with pip, uv, or another package manager.
Model provider credentials for the selected provider extra, such as OpenAI, Anthropic, Gemini, Bedrock, Mistral, Ollama, Groq, xAI, or another supported route.
A secrets strategy for provider keys, AG2 config files, `.env` files, notebooks, and example `OAI_CONFIG_LIST`-style credentials.
A reviewed execution boundary for code execution, Docker, Jupyter, browser-use, RAG, retrieval, database, and external tool extras.
Awareness of the upstream v1.0 roadmap because the current framework is being tidied through deprecations while beta APIs move toward official status.

Schema details

Install type: cli
Troubleshooting: No

Source repository stats

Scope: Source repo

Collection metadata

Estimated setup: 25 minutes
Difficulty: intermediate

Tool listing metadata

Website: https://ag2.ai/
Pricing: free
Disclosure: editorial
Application category: DeveloperApplication
Operating system: Cross-platform

Full copyable content

pip install 'ag2[openai]'

About this resource

Overview

AG2 is an open-source Python framework for building agentic AI systems and multi-agent workflows. It evolved from AutoGen and focuses on conversable agents, cooperation between agents, tool use, human-in-the-loop workflows, group chats, swarms, RAG, code execution, and provider-backed agent applications.

Use AG2 when a Python project needs conversation-driven multi-agent patterns and wants the AutoGen lineage with the current AG2 package, docs, and roadmap. It is especially relevant for teams comparing role-based crews, graph workflows, and conversation-oriented agent systems.

Install

AG2 requires Python 3.10 or newer. For an OpenAI-backed setup:

pip install 'ag2[openai]'

The package has many optional extras for providers, retrieval, tracing, code execution, browser workflows, database-backed RAG, realtime, A2A, AG-UI, and other integrations. Install the smallest set required by the workflow.

Agent Capabilities

Area	AG2 Coverage
Agents	Conversable agents, assistant agents, user proxy agents, and beta AgentOS direction
Multi-Agent Patterns	Group chats, swarms, nested chats, sequential chats, custom reply handlers, and orchestration patterns
Human Review	Human-in-the-loop workflows and user proxy interactions
Tools	Registered tools, provider tools, code execution, browser-use, and integration extras
Retrieval	RAG and retrievechat extras for Chroma, pgvector, MongoDB, Qdrant, Couchbase, and related stores
Providers	Optional extras for OpenAI, Anthropic, Gemini, Bedrock, Mistral, Ollama, Groq, xAI, DashScope, and others
Roadmap	Current APIs plus beta framework work moving toward AG2 v1.0

Use Cases

Build conversation-driven multi-agent teams in Python.
Coordinate agents through group chats, swarms, nested chats, or sequential workflows.
Add human review or user proxy control to an autonomous workflow.
Register tools and provider calls for agents to use.
Add retrieval and RAG capabilities to agent conversations.
Run code execution workflows with scoped Docker, Jupyter, or browser boundaries.
Evaluate whether AG2's AutoGen lineage fits better than graph-based or role-based agent frameworks.

Source Review

Verified on 2026-06-18:

The upstream repository identifies AG2 as the open-source AgentOS and says it was formerly AutoGen.
The installation docs and package metadata describe the ag2 PyPI package and Python >=3.10 requirement.
pyproject.toml declares Apache-2.0 licensing, the ag2 project name, homepage, documentation, source URL, provider extras, retrieval extras, code execution extras, tracing extras, and integration extras.
The release roadmap says AG2 is moving toward v1.0 and that beta framework work is expected to become the official version at v1.0.
PyPI resolves package metadata for ag2 version 0.13.4.

Safety and Privacy

AG2 can sit close to model credentials, notebooks, local code execution, retrieval stores, browser automation, and multi-agent decision loops. Scope tools and execution environments narrowly, isolate credentials, and require human approval before agents write files, execute commands, browse on behalf of users, or mutate external systems.

Multi-agent conversations can produce long message histories and intermediate outputs. Treat agent transcripts, retrieved documents, code execution logs, provider responses, and notebook state as sensitive unless deliberately published.

Duplicate Check

Checked current content/tools/, content/agents/, content/mcp/, content/skills/, guides, open pull requests, and repository-wide content for ag2ai/ag2, AG2, AG2 AgentOS, AG2 formerly AutoGen, ag2 PyPI package, AG2 group chat, AG2 swarms, and AutoGen AgentOS. The directory already has a Microsoft AutoGen entry for microsoft/autogen, but no dedicated AG2 entry, AG2 source URL duplicate, target file, or open duplicate PR was found.

#ag2 #autogen #agents #multi-agent #python #agent-framework #rag

Source citations

Add this badge to your README

Show that AG2 Agent Framework is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

[![Listed on HeyClaude](https://heyclau.de/badge/tools/ag2-agent-framework.svg)](https://heyclau.de/entry/tools/ag2-agent-framework)

How it compares

AG2 Agent Framework side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

Field	AG2 Agent Framework Open-source Python AgentOS and multi-agent framework, evolved from AutoGen, for building conversable agents, group chats, swarms, human-in-the-loop workflows, tool use, RAG, code execution, and provider-backed agent systems. Open dossier	OpenAI Agents Python SDK Official Python framework for building multi-agent workflows with agents, tools, handoffs, guardrails, sessions, tracing, realtime voice agents, MCP tools, hosted tools, human-in-the-loop flows, and sandbox agents. Open dossier	Hugging Face Smolagents Hugging Face Python agent library for CodeAgent and ToolCallingAgent workflows, where agents write Python actions, call tools, use MCP tool collections, connect to Hub tools and spaces, run with LiteLLM or local models, and use optional sandboxes. Open dossier	Microsoft Agent Framework Microsoft framework for building, orchestrating, and deploying production AI agents and multi-agent workflows across Python and .NET, with workflows, middleware, OpenTelemetry, Foundry hosting, A2A, MCP, and Semantic Kernel migration support. Open dossier
Trust
Install risk	Review first	Review first	Review first	Review first
Notes	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓
Category	tools	tools	tools	tools
Source	source-backed	source-backed	source-backed	source-backed
Author	AG2	OpenAI	Hugging Face	Microsoft
Added	2026-06-18	2026-06-18	2026-06-18	2026-06-18
Platforms	CLI	CLI	CLI	CLI
Source repo	—	—	—	—
Safety notes	✓AG2 agents can converse, call tools, execute code, use retrieval systems, run browser workflows, and coordinate group chats; require explicit permissions and approval gates for high-impact actions. The upstream install docs and examples commonly involve provider credentials; keep API keys, config files, notebooks, and `.env` files out of commits and support tickets. Code execution, Docker, Jupyter, browser-use, and RAG extras can touch local files, network services, notebooks, databases, and external websites; scope them tightly before granting agent access. Multi-agent conversations can continue through nested chats, swarms, group chats, and custom reply handlers; define termination, escalation, retry, and human takeover behavior. Track the release roadmap before upgrading because deprecations and the v1.0 transition can change which APIs should be used for new work.	✓Agents can call function tools, hosted tools, MCP tools, realtime tools, and sandbox agents; treat every tool as an API endpoint with explicit authorization, input validation, rate limits, and side-effect controls. Sandbox agents can inspect files, run commands, apply patches, and carry workspace state across longer tasks; restrict workspace scope and require human approval before destructive or high-impact actions. Guardrails are useful runtime checks, but they do not replace permission checks, least-privilege credentials, audit logs, or human review for risky operations. Handoffs and agents-as-tools can delegate work across agents; document which agent owns each tool, decision, retry, rollback, and escalation path. Realtime voice agents and human-in-the-loop flows need clear consent, interruption, recording, and operator takeover behavior.	✓Smolagents CodeAgent writes actions as Python code; run untrusted or high-impact actions in a real sandbox such as Docker, E2B, Modal, or Blaxel instead of treating local execution as a security boundary. Agents can call MCP tools, Hub tools, Spaces, LangChain tools, web search, webpage tools, browser tools, local models, and provider APIs; review each tool's permissions and side effects before use. The built-in local Python execution restrictions are not a complete sandbox, so do not expose sensitive files, credentials, shells, browsers, or network access without additional isolation. CLI agents such as `smolagent` and `webagent` can perform multi-step actions; require explicit operator approval before purchases, account writes, file writes, command execution, or external submissions. Telemetry, tracing, and provider integrations need review before production use because agent steps may include prompts, generated code, tool outputs, and errors.	✓Microsoft Agent Framework can orchestrate agents, tools, workflows, middleware, hosting, A2A, MCP, and third-party providers; review each external system before granting access. Production agents need explicit approval gates, retries, cancellation, idempotency, rollback behavior, tool authorization, and human-in-the-loop boundaries. DefaultAzureCredential is convenient for development but can probe multiple credential sources; choose explicit production credentials and managed identity patterns where appropriate. Foundry-hosted agents, cloud workflows, Durable Task, Azure Functions, and A2A/MCP endpoints need authentication, least privilege, network controls, logging policy, and abuse protection. Migration from Semantic Kernel or AutoGen should include behavior parity tests, trace comparison, provider compatibility review, and safety regression checks.
Privacy notes	✓Prompts, messages, tool arguments, tool outputs, code snippets, notebook state, retrieved documents, vector-store contents, provider responses, traces, and execution logs may contain sensitive user or workspace data. Do not expose secrets, API keys, private file paths, customer records, internal documents, database rows, or raw exceptions through agent messages, logs, notebooks, screenshots, or public examples. Provider extras and retrieval integrations can route data through OpenAI, Anthropic, Google, AWS, local model servers, databases, vector stores, browser automation, or other third-party services. If AG2 is used for code execution or browser automation, define which files, domains, credentials, downloads, screenshots, and logs can be read or retained.	✓Prompts, instructions, tool arguments, tool outputs, session history, traces, realtime audio events, sandbox files, logs, provider responses, and errors may contain user or workspace data. Do not expose secrets, tokens, private file paths, customer records, credentials, internal identifiers, or raw exceptions through traces, logs, prompts, tool schemas, or examples. When using MCP servers, hosted tools, Redis sessions, SQL-backed sessions, or observability systems, review each service's retention, access control, and third-party data handling separately. If sandbox agents operate on repositories or user files, define which files can be mounted, modified, committed, uploaded, logged, or returned to the model.	✓Prompts, generated Python code, tool arguments, tool outputs, execution logs, browser state, search results, Hub repository data, Spaces inputs, model responses, telemetry, and errors may contain user or workspace data. Do not expose Hugging Face tokens, provider API keys, local file paths, customer records, private datasets, credentials, or raw exceptions through shared agents, Hub uploads, logs, screenshots, or public examples. When using MCP servers, Hub tools, Spaces, LiteLLM providers, OpenAI-compatible gateways, local model servers, or sandbox providers, review data retention and third-party access separately. If agents are shared to the Hugging Face Hub, review included tools, prompts, dependencies, examples, and repository files for secrets and private data before publishing.	✓Prompts, instructions, tool arguments, tool outputs, workflow state, middleware data, traces, provider responses, logs, credentials, and hosted-agent metadata may contain sensitive user or business data. Do not expose Azure credentials, Foundry project endpoints, model deployment names, API keys, private file paths, customer records, internal documents, or raw exceptions through examples, traces, logs, or support issues. When using third-party providers, A2A agents, MCP servers, observability systems, or cloud hosting, review where data is sent, stored, retained, and governed. If workflows are durable or restartable, define retention and access controls for checkpoints, state stores, trace spans, and replayable execution history.
Prerequisites	Python 3.10 or newer and a Python environment managed with pip, uv, or another package manager. Model provider credentials for the selected provider extra, such as OpenAI, Anthropic, Gemini, Bedrock, Mistral, Ollama, Groq, xAI, or another supported route. A secrets strategy for provider keys, AG2 config files, `.env` files, notebooks, and example `OAI_CONFIG_LIST`-style credentials. A reviewed execution boundary for code execution, Docker, Jupyter, browser-use, RAG, retrieval, database, and external tool extras.	Python 3.10 or newer and a project environment managed with uv, pip, or another Python package manager. OpenAI API credentials or another configured model provider supported through the SDK's provider-agnostic routes. A reviewed tool boundary for function tools, hosted tools, MCP tools, handoffs, sandbox agents, and any external systems the agent can call. A tracing, logging, and retention policy for prompts, tool calls, sessions, provider responses, and run metadata.	Python 3.10 or newer and a Python environment managed with pip, uv, or another package manager. A selected model route, such as Hugging Face Inference Providers, local Transformers, Ollama, LiteLLM, OpenAI-compatible servers, Azure OpenAI, Bedrock, or another configured provider. Provider credentials, Hugging Face tokens, local model access, or API keys stored outside source control. A sandbox plan for CodeAgent execution when agents can run Python actions, browse, call tools, or interact with user files.	Python 3.10 or newer for the Python SDK, or a supported .NET runtime for the `Microsoft.Agents.AI` package. A selected model/provider route, such as Microsoft Foundry, Azure OpenAI, OpenAI, GitHub Copilot SDK, or another supported provider. Azure identity, Foundry project, endpoint, model deployment, or API-key configuration appropriate for the chosen provider and runtime. A deployment plan for workflows, hosting, A2A, MCP, Durable Task, Azure Functions, local development, or cloud execution.
Install	`pip install 'ag2[openai]'`	`uv add openai-agents`	`pip install "smolagents[toolkit]"`	`pip install agent-framework`
Config	—	—	—	—
Citations	Source repositorygithub.com 2026-06-18T12:49:35+00:00 Documentationdocs.ag2.ai Websiteag2.ai	Source repositorygithub.com 2026-06-18T12:49:35+00:00 Documentationopenai.github.io	Source repositorygithub.com 2026-06-18T12:49:35+00:00 Documentationhuggingface.co	Source repositorygithub.com 2026-06-18T12:49:35+00:00 Documentationlearn.microsoft.com
Claim	Unclaimed	Unclaimed	Unclaimed	Unclaimed

Featured in

Best list: Tools for Claude-native teams

Signals

Loading live community signals…