toolsSource-backedReview first Safety ✓ Privacy ✓

AgentScope

Apache-2.0 Python framework for building visible, controllable, production AI agents and multi-agent services with event streaming, permission controls, workspaces, sandbox backends, middleware, MCP support, Mem0 memory, agent teams, and multi-tenant multi-session serving.

by AgentScope·added 2026-06-18·

CLI

HarnessCLI

Review first — review before installing

Open the source and read safety notes before installing.

Safety notes

AgentScope examples can give agents Bash, file-read, file-write, edit, search, MCP, and custom tools. Scope tool permissions and approval rules before connecting a real project or account.
The README demonstrates permission control, including bypass mode. Do not use bypass-style behavior on production systems, sensitive files, paid APIs, cloud resources, or unreviewed tool chains without compensating controls.
Workspace support can run tools and code through local, Docker, or E2B backends; review filesystem mounts, network access, secrets, resource limits, and cleanup behavior.
Agent teams, background tasks, and multi-session services can continue work after the initial request; define cancellation, timeout, wakeup, escalation, and audit behavior.
Mem0 memory, Redis-backed sessions, MCP configuration, OpenTelemetry, FastAPI services, and model-provider integrations all need version pinning, credential isolation, and security review before production use.

Privacy notes

AgentScope workflows can process prompts, model responses, tool arguments, tool outputs, workspace files, code, credentials accidentally present in context, event streams, web UI state, logs, traces, memory records, session state, and tenant metadata.
Long-term memory through Mem0 and multi-session service storage can persist user facts, intermediate outputs, retrieved context, and tool results beyond a single conversation.
Docker, E2B, MCP servers, model providers, Redis, OpenTelemetry exporters, FastAPI deployments, and web UI integrations may send or store data outside the local Python process depending on configuration.
Do not expose private prompts, API keys, unpublished code, customer data, tenant identifiers, session transcripts, or workspace artifacts in public issues, examples, screenshots, logs, or generated reports.

Prerequisites

Python 3.11 or newer and an isolated Python environment managed with pip, uv, or another package manager.
Model provider credentials for the selected model backend, such as DashScope, OpenAI-compatible APIs, Anthropic, Gemini, Ollama, xAI, or another supported route.
A permission policy for tools such as Bash, Grep, Glob, Read, Write, Edit, MCP tools, custom functions, and long-running background tasks.
A workspace isolation decision for local, Docker, E2B, or other sandbox backends before running code or file tools.
Storage, Redis, FastAPI, web UI, memory, telemetry, and deployment decisions when using multi-tenant or multi-session services.

Schema details

Install type: cli
Troubleshooting: No

Source repository stats

Scope: Source repo

Collection metadata

Estimated setup: 30 minutes
Difficulty: intermediate

Tool listing metadata

Website: https://docs.agentscope.io/
Pricing: free
Disclosure: editorial
Application category: DeveloperApplication
Operating system: Cross-platform

Full copyable content

pip install agentscope

About this resource

Overview

AgentScope is an Apache-2.0 Python framework for building and serving AI agents. The 2.0 README emphasizes visible and controllable agents through an event system, fine-grained permissions, multi-tenancy, multi-session serving, workspace/sandbox support, and middleware.

Use it when a Python team wants an agent framework that exposes agent state and tool activity to application code or a UI, rather than hiding agent behavior behind a single black-box call. It is especially relevant for MCP-enabled tools, sandboxed workspaces, agent services, agent teams, long-term memory, and human-in-the-loop control.

Install

AgentScope requires Python 3.11 or newer:

pip install agentscope

The project also documents editable source installs:

git clone -b main https://github.com/agentscope-ai/agentscope.git
cd agentscope
pip install -e .

Optional extras in pyproject.toml cover model providers, service deployment, storage, workspace backends, tool helpers, Mem0 memory, and full development setups. Install the smallest set that matches the target workflow.

Agent Capabilities

Area	AgentScope Coverage
Event System	Event bus for streaming agent activity to frontends and human-in-the-loop flows
Permissions	Fine-grained control over tools and resources, including confirmation and bypass-style modes
Service Runtime	FastAPI-based multi-tenant, multi-session agent service examples
Workspaces	Isolated local, Docker, and E2B workspace backends for tools and code
Middleware	Composable hooks around the reasoning and acting loop
Tools	Built-in examples for Bash, Grep, Glob, Read, Write, Edit, and custom tools
Memory	Mem0-supported long-term memory example and package extra
MCP	`mcp` package dependency and MCP-related configuration handling
Agent Teams	Agent team support with leader and worker coordination examples

Use Cases

Build Python agents that need streamed events for a web UI or operator view.
Add permission prompts around file, shell, code, MCP, or custom tool calls.
Serve isolated agents across tenants and sessions.
Run tool workloads inside local, Docker, or E2B workspaces.
Prototype agent teams with leader and worker coordination.
Add Mem0-backed long-term memory to an agent workflow.
Compare AgentScope with LangGraph, AutoGen/AG2, Microsoft Agent Framework, Google ADK, Strands Agents, and other Python agent frameworks.

Source Review

Verified on 2026-06-18:

The upstream repository describes AgentScope 2.0 as a production-ready agent framework with event system, permission system, multi-tenancy and multi-session service, workspace/sandbox support, and middleware.
The README lists Python 3.11 or newer and installs from PyPI with pip install agentscope.
The README includes an agent example using Bash, Grep, Glob, Read, Write, and Edit tools.
The README documents an agent service example with a FastAPI backend and web UI, plus demos for agent teams, task planning, permission control, background tool offloading, and conversation resumption.
The project news records Mem0 support, agent team support, and the May 2026 AgentScope 2.0 release.
pyproject.toml declares the agentscope package, Apache-2.0 licensing, Python >=3.11, MCP dependency, OpenTelemetry dependencies, service extras, Redis storage extras, workspace extras for Docker/E2B, tool extras, Mem0 extras, and provider extras.
PyPI resolves package metadata for agentscope version 2.0.2.
The latest GitHub release is v2.0.2, published on 2026-06-16.

Safety and Privacy

AgentScope's value is that agent behavior is visible and controllable, but it still sits close to high-impact operations: shell commands, file writes, custom tools, MCP servers, background tasks, web services, memory, sandboxes, and model-provider calls. Define permissions, tenant boundaries, workspace mounts, network access, approval checkpoints, and retention rules before using it with production data.

For hosted or multi-session services, decide who can inspect event streams, sessions, traces, memory, tool outputs, Redis state, web UI logs, and workspace artifacts. Durable memory and session history can retain sensitive context after a user believes the task is over.

Duplicate Check

Checked current content/tools/, content/agents/, content/mcp/, content/skills/, guides, open pull requests, and repository-wide content for agentscope-ai/agentscope, AgentScope, AgentScope 2.0, agentscope Python, AgentScope MCP, AgentScope workspace, AgentScope permission system, AgentScope agent service, and AgentScope agent team. No dedicated AgentScope tools entry, exact source URL duplicate, target file, or open duplicate PR was found.

Disclosure

Editorial listing. No paid placement or affiliate link is used. AgentScope is Apache-2.0 open-source software; model providers, DashScope, OpenAI-compatible APIs, Anthropic, Gemini, Ollama, xAI, MCP servers, E2B, Docker, Mem0, Redis, OpenTelemetry exporters, FastAPI deployments, and other connected systems may have separate licenses, billing, terms, privacy controls, and access requirements.

#agentscope #agents #agent-framework #multi-agent #python #mcp #sandbox #memory

Source citations

Add this badge to your README

Show that AgentScope is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

[![Listed on HeyClaude](https://heyclau.de/badge/tools/agentscope.svg)](https://heyclau.de/entry/tools/agentscope)

How it compares

AgentScope side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

Field	AgentScope Apache-2.0 Python framework for building visible, controllable, production AI agents and multi-agent services with event streaming, permission controls, workspaces, sandbox backends, middleware, MCP support, Mem0 memory, agent teams, and multi-tenant multi-session serving. Open dossier	MetaGPT Open-source Python multi-agent framework that assigns product manager, architect, project manager, engineer, and other software-company roles to LLM agents for natural-language programming, repo generation, data interpretation, research, debate, and custom agent workflows. Open dossier	OpenAI Agents Python SDK Official Python framework for building multi-agent workflows with agents, tools, handoffs, guardrails, sessions, tracing, realtime voice agents, MCP tools, hosted tools, human-in-the-loop flows, and sandbox agents. Open dossier	AG2 Agent Framework Open-source Python AgentOS and multi-agent framework, evolved from AutoGen, for building conversable agents, group chats, swarms, human-in-the-loop workflows, tool use, RAG, code execution, and provider-backed agent systems. Open dossier
Trust
Install risk	Review first	Review first	Review first	Review first
Notes	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓
Category	tools	tools	tools	tools
Source	source-backed	source-backed	source-backed	source-backed
Author	AgentScope	FoundationAgents	OpenAI	AG2
Added	2026-06-18	2026-06-18	2026-06-18	2026-06-18
Platforms	CLI	CLI	CLI	CLI
Source repo	—	—	—	—
Safety notes	✓AgentScope examples can give agents Bash, file-read, file-write, edit, search, MCP, and custom tools. Scope tool permissions and approval rules before connecting a real project or account. The README demonstrates permission control, including bypass mode. Do not use bypass-style behavior on production systems, sensitive files, paid APIs, cloud resources, or unreviewed tool chains without compensating controls. Workspace support can run tools and code through local, Docker, or E2B backends; review filesystem mounts, network access, secrets, resource limits, and cleanup behavior. Agent teams, background tasks, and multi-session services can continue work after the initial request; define cancellation, timeout, wakeup, escalation, and audit behavior. Mem0 memory, Redis-backed sessions, MCP configuration, OpenTelemetry, FastAPI services, and model-provider integrations all need version pinning, credential isolation, and security review before production use.	✓MetaGPT can generate full repositories under a workspace from one-line requirements. Review generated code, dependencies, licenses, prompts, and build scripts before running or publishing anything. The framework coordinates multiple LLM roles and can call code, web, RAG, browser, email, GitHub, and provider integrations through its dependencies and optional extras; scope credentials and tools per workflow. Generated requirements, API designs, architecture documents, diagrams, and code can be plausible but wrong. Treat them as drafts until tested against source requirements and local constraints. Data Interpreter and notebook-style workflows may execute code, create plots, read files, and emit artifacts; run them in an isolated environment for untrusted data. Long multi-agent runs can consume significant model tokens and external API quota, so set cost ceilings, timeouts, and stopping criteria before production use.	✓Agents can call function tools, hosted tools, MCP tools, realtime tools, and sandbox agents; treat every tool as an API endpoint with explicit authorization, input validation, rate limits, and side-effect controls. Sandbox agents can inspect files, run commands, apply patches, and carry workspace state across longer tasks; restrict workspace scope and require human approval before destructive or high-impact actions. Guardrails are useful runtime checks, but they do not replace permission checks, least-privilege credentials, audit logs, or human review for risky operations. Handoffs and agents-as-tools can delegate work across agents; document which agent owns each tool, decision, retry, rollback, and escalation path. Realtime voice agents and human-in-the-loop flows need clear consent, interruption, recording, and operator takeover behavior.	✓AG2 agents can converse, call tools, execute code, use retrieval systems, run browser workflows, and coordinate group chats; require explicit permissions and approval gates for high-impact actions. The upstream install docs and examples commonly involve provider credentials; keep API keys, config files, notebooks, and `.env` files out of commits and support tickets. Code execution, Docker, Jupyter, browser-use, and RAG extras can touch local files, network services, notebooks, databases, and external websites; scope them tightly before granting agent access. Multi-agent conversations can continue through nested chats, swarms, group chats, and custom reply handlers; define termination, escalation, retry, and human takeover behavior. Track the release roadmap before upgrading because deprecations and the v1.0 transition can change which APIs should be used for new work.
Privacy notes	✓AgentScope workflows can process prompts, model responses, tool arguments, tool outputs, workspace files, code, credentials accidentally present in context, event streams, web UI state, logs, traces, memory records, session state, and tenant metadata. Long-term memory through Mem0 and multi-session service storage can persist user facts, intermediate outputs, retrieved context, and tool results beyond a single conversation. Docker, E2B, MCP servers, model providers, Redis, OpenTelemetry exporters, FastAPI deployments, and web UI integrations may send or store data outside the local Python process depending on configuration. Do not expose private prompts, API keys, unpublished code, customer data, tenant identifiers, session transcripts, or workspace artifacts in public issues, examples, screenshots, logs, or generated reports.	✓Requirements, prompts, role messages, generated code, diagrams, documents, repo files, notebook outputs, model responses, logs, and traces may contain private product or workspace data. Configured LLM providers, browser/search tools, RAG/vector services, GitHub integrations, email/IMAP tools, cloud providers, and generated workspaces may receive or retain workflow data. Do not commit `~/.metagpt/config2.yaml`, provider keys, local model URLs, generated repos with secrets, workspace logs, notebook outputs, or customer requirements. If teams share MetaGPT outputs, strip private prompts, internal system names, customer data, generated credentials, and non-public architecture details first.	✓Prompts, instructions, tool arguments, tool outputs, session history, traces, realtime audio events, sandbox files, logs, provider responses, and errors may contain user or workspace data. Do not expose secrets, tokens, private file paths, customer records, credentials, internal identifiers, or raw exceptions through traces, logs, prompts, tool schemas, or examples. When using MCP servers, hosted tools, Redis sessions, SQL-backed sessions, or observability systems, review each service's retention, access control, and third-party data handling separately. If sandbox agents operate on repositories or user files, define which files can be mounted, modified, committed, uploaded, logged, or returned to the model.	✓Prompts, messages, tool arguments, tool outputs, code snippets, notebook state, retrieved documents, vector-store contents, provider responses, traces, and execution logs may contain sensitive user or workspace data. Do not expose secrets, API keys, private file paths, customer records, internal documents, database rows, or raw exceptions through agent messages, logs, notebooks, screenshots, or public examples. Provider extras and retrieval integrations can route data through OpenAI, Anthropic, Google, AWS, local model servers, databases, vector stores, browser automation, or other third-party services. If AG2 is used for code execution or browser automation, define which files, domains, credentials, downloads, screenshots, and logs can be read or retained.
Prerequisites	Python 3.11 or newer and an isolated Python environment managed with pip, uv, or another package manager. Model provider credentials for the selected model backend, such as DashScope, OpenAI-compatible APIs, Anthropic, Gemini, Ollama, xAI, or another supported route. A permission policy for tools such as Bash, Grep, Glob, Read, Write, Edit, MCP tools, custom functions, and long-running background tasks. A workspace isolation decision for local, Docker, E2B, or other sandbox backends before running code or file tools.	Python 3.9 through 3.11 and an isolated Python environment. Node.js and pnpm for workflows that render diagrams or use MetaGPT's documented software-company generation path. LLM provider configuration in `~/.metagpt/config2.yaml`, such as OpenAI, Azure, Ollama, Groq, or another supported provider route. API keys, base URLs, local model endpoints, and generated workspace paths kept outside source control.	Python 3.10 or newer and a project environment managed with uv, pip, or another Python package manager. OpenAI API credentials or another configured model provider supported through the SDK's provider-agnostic routes. A reviewed tool boundary for function tools, hosted tools, MCP tools, handoffs, sandbox agents, and any external systems the agent can call. A tracing, logging, and retention policy for prompts, tool calls, sessions, provider responses, and run metadata.	Python 3.10 or newer and a Python environment managed with pip, uv, or another package manager. Model provider credentials for the selected provider extra, such as OpenAI, Anthropic, Gemini, Bedrock, Mistral, Ollama, Groq, xAI, or another supported route. A secrets strategy for provider keys, AG2 config files, `.env` files, notebooks, and example `OAI_CONFIG_LIST`-style credentials. A reviewed execution boundary for code execution, Docker, Jupyter, browser-use, RAG, retrieval, database, and external tool extras.
Install	`pip install agentscope`	`pip install --upgrade metagpt`	`uv add openai-agents`	`pip install 'ag2[openai]'`
Config	—	—	—	—
Citations	Source repositorygithub.com 2026-06-18T14:52:04-07:00 Documentationdocs.agentscope.io	Source repositorygithub.com 2026-06-18T14:52:04-07:00 Documentationdocs.deepwisdom.ai	Source repositorygithub.com 2026-06-18T14:52:04-07:00 Documentationopenai.github.io	Source repositorygithub.com 2026-06-18T14:52:04-07:00 Documentationdocs.ag2.ai
Claim	Unclaimed	Unclaimed	Unclaimed	Unclaimed

Featured in

Signals

Loading live community signals…