Skip to main content
hc
Submit
toolsSource-backedReview first Safety Privacy

Qwen-Agent

Open-source Qwen agent framework for building LLM applications with function calling, tools, planning, memory, RAG, MCP support, Docker-based code interpreter, Gradio GUI demos, BrowserQwen, Custom Assistant, and Qwen Chat backend usage.

by Qwen·added 2026-06-18·
CLI
HarnessCLI
Review first review before installing

Open the source and read safety notes before installing.

Safety notes

  • Qwen-Agent can call custom tools, MCP tools, built-in code interpreter tools, RAG retrievers, browser-assistant workflows, and model-service APIs; review each tool for side effects before exposing it.
  • The code interpreter uses Docker-based isolation and the upstream README still says to use it with caution in production, so treat it as a risky execution surface rather than a full security boundary.
  • MCP configurations can expose filesystem, memory, SQLite, SaaS, browser, or internal API tools to the agent; scope paths and credentials narrowly.
  • RAG and long-document workflows can retrieve untrusted text into the model context; defend against prompt injection and stale or unauthorized source documents.
  • DashScope, vLLM, Ollama, and OpenAI-compatible deployments each have different tool-call parsing, model, reasoning, and operational behavior; test the exact route before relying on agent output.

Privacy notes

  • Prompts, chat history, function-call arguments, tool results, MCP tool payloads, code-interpreter files, RAG documents, embeddings, browser-assistant state, GUI sessions, model responses, and logs can contain sensitive data.
  • Do not place DashScope keys, model-service credentials, private files, customer documents, database contents, browser state, or internal URLs in public examples, notebooks, screenshots, or logs.
  • Self-hosted Qwen model services and DashScope routes have different retention, telemetry, network, and access-control boundaries; review them before processing regulated or proprietary data.
  • Code interpreter containers, mounted working directories, generated files, and RAG indexes need cleanup, retention, and access-control policies.

Prerequisites

  • Python environment for installing `qwen-agent` and optional GUI, RAG, code interpreter, and MCP extras.
  • DashScope API key or a self-hosted/OpenAI-compatible Qwen model service such as vLLM or Ollama.
  • Docker installed and running before using the built-in code interpreter.
  • Node.js, uv, Git, SQLite, and the target MCP server prerequisites when running MCP examples.
  • A reviewed plan for tool permissions, document ingestion, browser-assistant access, GUI exposure, and model-service routing.

Schema details

Install type
cli
Troubleshooting
No
Source repository stats
Scope
Source repo
Collection metadata
Estimated setup
30 minutes
Difficulty
intermediate
Tool listing metadata
Pricing
open-source
Disclosure
editorial
Application category
DeveloperApplication
Operating system
macOS, Windows, Linux
Full copyable content
pip install -U "qwen-agent[gui,rag,code_interpreter,mcp]"

About this resource

Overview

Qwen-Agent is an open-source framework for building LLM applications on Qwen models. It focuses on instruction following, tool usage, planning, memory, function calling, RAG, MCP, code interpreter workflows, and application examples such as BrowserQwen and Custom Assistant.

Use it when a team wants to build Qwen-native agents rather than a generic multi-provider coding assistant. It is relevant for Qwen Agent, Qwen-Agent MCP, Qwen RAG, Qwen function calling, Qwen code interpreter, BrowserQwen, and Qwen Chat backend searches.

Install

The upstream README documents a full install with optional GUI, RAG, code interpreter, and MCP extras:

pip install -U "qwen-agent[gui,rag,code_interpreter,mcp]"

Minimal installs can use pip install -U qwen-agent. Source installs are also documented from the QwenLM/Qwen-Agent repository.

Core Capabilities

Area Qwen-Agent Coverage
Agent Framework Assistant, base Agent, LLM components, tool components, and custom agent implementations
Function Calling LLM classes and agent classes for function/tool calling, including parallel function-call support
MCP MCP server configuration examples and MCP usage cookbooks
RAG RAG examples, long-document question answering, and agentic retrieval patterns
Code Interpreter Docker-based built-in code interpreter for local execution workflows
GUI Gradio WebUI support for quick agent demos
Browser Assistant BrowserQwen browser-assistant application built on Qwen-Agent
Model Routing DashScope model service, open-source Qwen deployments, vLLM, Ollama, and OpenAI-compatible services
Benchmarks DeepPlanning benchmark and docs for evaluating planning behavior

MCP and Agent Fit

Qwen-Agent is not an MCP server listing. It is an agent framework that can use MCP servers as tools through configuration, alongside built-in tools, custom tools, RAG, and code interpreter workflows.

That makes it useful for Qwen teams experimenting with MCP-heavy agents, function calling, tool-integrated reasoning, long-document RAG, and local or hosted Qwen model deployments.

Use Cases

  • Build a Qwen-powered assistant that calls custom tools.
  • Add MCP server tools to a Qwen agent workflow.
  • Build RAG or long-document question-answering applications.
  • Run a Docker-based code interpreter in local testing workflows.
  • Launch a Gradio demo for an agent.
  • Use BrowserQwen as a browser-assistant reference application.
  • Compare Qwen-native agents against LangChain, LangGraph, Qwen Code, or generic MCP clients.

Source Review

Verified on 2026-06-18:

  • The upstream repository describes Qwen-Agent as a framework for developing LLM applications based on Qwen instruction-following, tool-usage, planning, and memory capabilities.
  • The README lists example applications including Browser Assistant, Code Interpreter, and Custom Assistant, and says Qwen-Agent is the backend of Qwen Chat.
  • The README documents installation from PyPI with optional extras for GUI, RAG, code interpreter, and MCP support.
  • The model-service section documents DashScope, open-source Qwen deployments, vLLM, Ollama, and OpenAI-compatible service options.
  • The README documents built-in agent classes, custom tools, Gradio WebUI, MCP configuration examples, function-calling support, and a Docker-based code interpreter caution.
  • The GitHub repository is Apache-2.0 licensed and the PyPI package qwen-agent currently resolves with package metadata.

Duplicate Check

Checked current content/tools/, content/mcp/, content/agents/, content/skills/, guides, README output, and open pull requests for Qwen-Agent, Qwen Agent, QwenLM/Qwen-Agent, qwen-agent, qwen_agent, Qwen MCP, Qwen RAG, Qwen code interpreter, BrowserQwen, and Qwen custom assistant. Existing Qwen Code content covers the terminal coding agent from QwenLM/qwen-code; no dedicated Qwen-Agent framework entry, exact source URL duplicate, or open duplicate PR was found.

Disclosure

Editorial listing. No paid placement or affiliate link is used.

#qwen#agents#function-calling#rag#mcp#code-interpreter#python

Source citations

Add this badge to your README

Show that Qwen-Agent is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/tools/qwen-agent.svg)](https://heyclau.de/entry/tools/qwen-agent)

How it compares

Qwen-Agent side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

FieldQwen-Agent

Open-source Qwen agent framework for building LLM applications with function calling, tools, planning, memory, RAG, MCP support, Docker-based code interpreter, Gradio GUI demos, BrowserQwen, Custom Assistant, and Qwen Chat backend usage.

Open dossier 		Qwen Code

Open-source terminal AI coding agent from Qwen with Auto-Memory, Auto-Skills, SubAgents, Agent Teams, dynamic workflows, MCP support, multi-provider model routing, IDE plugins, desktop app, daemon mode, SDKs, IM bots, sandboxing, and worktree-aware coding workflows.

Open dossier 		AG2 Agent Framework

Open-source Python AgentOS and multi-agent framework, evolved from AutoGen, for building conversable agents, group chats, swarms, human-in-the-loop workflows, tool use, RAG, code execution, and provider-backed agent systems.

Open dossier 		Open WebUI

Self-hosted AI platform and web UI for Ollama, OpenAI-compatible APIs, RAG, Python function tools, model builder workflows, artifacts, web search, vector databases, enterprise auth, observability, plugins, and MCP-adjacent OpenAPI integrations.

Open dossier
Trust
Install riskReview firstReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
Categorytoolstoolstoolstools
Sourcesource-backedsource-backedsource-backedsource-backed
AuthorQwenQwenAG2Open WebUI
Added2026-06-182026-06-182026-06-182026-06-18
Platforms
CLI
CLI
CLI
CLI
Source repo
Safety notesQwen-Agent can call custom tools, MCP tools, built-in code interpreter tools, RAG retrievers, browser-assistant workflows, and model-service APIs; review each tool for side effects before exposing it. The code interpreter uses Docker-based isolation and the upstream README still says to use it with caution in production, so treat it as a risky execution surface rather than a full security boundary. MCP configurations can expose filesystem, memory, SQLite, SaaS, browser, or internal API tools to the agent; scope paths and credentials narrowly. RAG and long-document workflows can retrieve untrusted text into the model context; defend against prompt injection and stale or unauthorized source documents. DashScope, vLLM, Ollama, and OpenAI-compatible deployments each have different tool-call parsing, model, reasoning, and operational behavior; test the exact route before relying on agent output.Qwen Code can edit files, run commands, use MCP servers, launch subagents, apply skills, use hooks, operate in sandboxes, and manage worktrees; keep destructive or credentialed actions behind explicit approval. Auto-Memory and Auto-Skills can persist or reuse context across tasks; review what is stored, updated, and replayed before using sensitive repositories or customer data. Daemon mode and IM bot channels can expose a shared agent session over HTTP+SSE or messaging platforms; require authentication, network controls, audit logs, and operator visibility. MCP servers can expose databases, SaaS accounts, browsers, cloud resources, files, or internal APIs to the agent; apply least privilege per server. Multi-provider routing means prompts and code may go to different model providers at runtime; lock down provider choices for regulated or confidential work.AG2 agents can converse, call tools, execute code, use retrieval systems, run browser workflows, and coordinate group chats; require explicit permissions and approval gates for high-impact actions. The upstream install docs and examples commonly involve provider credentials; keep API keys, config files, notebooks, and `.env` files out of commits and support tickets. Code execution, Docker, Jupyter, browser-use, and RAG extras can touch local files, network services, notebooks, databases, and external websites; scope them tightly before granting agent access. Multi-agent conversations can continue through nested chats, swarms, group chats, and custom reply handlers; define termination, escalation, retry, and human takeover behavior. Track the release roadmap before upgrading because deprecations and the v1.0 transition can change which APIs should be used for new work.Open WebUI can run Python function-calling tools, RAG ingestion, web search, web browsing, image generation, plugins, and model/provider integrations; review each capability before enabling it for untrusted users. Docker examples expose web ports and persistent volumes. Mount persistent data, set admin/auth controls, and avoid treating demo defaults as production hardening. Python function tools and plugin pipelines can execute application logic and access configured services. Restrict tool creation and plugin installation to trusted administrators. RAG and web browsing can ingest local documents, URLs, cloud files, and extracted text; test indexing quality and permissions before exposing private corpora to users. Open WebUI uses a custom Open WebUI License with branding restrictions and enterprise-license exceptions. Verify license terms before redistribution, white-labeling, or commercial deployment.
Privacy notesPrompts, chat history, function-call arguments, tool results, MCP tool payloads, code-interpreter files, RAG documents, embeddings, browser-assistant state, GUI sessions, model responses, and logs can contain sensitive data. Do not place DashScope keys, model-service credentials, private files, customer documents, database contents, browser state, or internal URLs in public examples, notebooks, screenshots, or logs. Self-hosted Qwen model services and DashScope routes have different retention, telemetry, network, and access-control boundaries; review them before processing regulated or proprietary data. Code interpreter containers, mounted working directories, generated files, and RAG indexes need cleanup, retention, and access-control policies.Prompts, selected files, memory, skills, subagent transcripts, MCP tool arguments, MCP tool results, hooks, shell output, worktree paths, daemon traffic, IM bot messages, SDK messages, and provider responses may contain sensitive data. Do not expose provider API keys, OAuth tokens, Qwen credentials, private repository content, customer data, or internal system details through prompts, logs, screenshots, bot messages, or shared sessions. Provider privacy, retention, billing, and telemetry behavior depends on the selected Qwen, OpenAI, Anthropic, Gemini, local, or third-party model route. Desktop, daemon, IDE, SDK, and IM-bot modes may retain or relay agent context outside the terminal session; review logs and storage for each mode.Prompts, messages, tool arguments, tool outputs, code snippets, notebook state, retrieved documents, vector-store contents, provider responses, traces, and execution logs may contain sensitive user or workspace data. Do not expose secrets, API keys, private file paths, customer records, internal documents, database rows, or raw exceptions through agent messages, logs, notebooks, screenshots, or public examples. Provider extras and retrieval integrations can route data through OpenAI, Anthropic, Google, AWS, local model servers, databases, vector stores, browser automation, or other third-party services. If AG2 is used for code execution or browser automation, define which files, domains, credentials, downloads, screenshots, and logs can be read or retained.Chats, prompts, uploaded files, document chunks, embeddings, vector metadata, web search results, browser-fetched pages, Python tool inputs, plugin outputs, voice/video data, logs, metrics, and traces may contain private data. Configured model providers, vector databases, document extraction engines, web search providers, image providers, object storage, Redis, auth providers, and observability backends may receive user data. Keep provider keys, OAuth/LDAP/SSO secrets, database URLs, object storage keys, plugin credentials, uploaded files, RAG indexes, and OpenTelemetry exports out of public repos and screenshots. Define retention, deletion, tenant separation, group permissions, export policy, and audit review before using Open WebUI as a shared internal workspace.
Prerequisites
  • Python environment for installing `qwen-agent` and optional GUI, RAG, code interpreter, and MCP extras.
  • DashScope API key or a self-hosted/OpenAI-compatible Qwen model service such as vLLM or Ollama.
  • Docker installed and running before using the built-in code interpreter.
  • Node.js, uv, Git, SQLite, and the target MCP server prerequisites when running MCP examples.
  • Node.js 22 or newer for the npm package, or a supported standalone script or Homebrew install path.
  • Provider credentials for Qwen, OpenAI, Anthropic, Gemini, Ollama, vLLM, or another compatible route.
  • A project workspace where file access, shell commands, Auto-Memory, Auto-Skills, SubAgents, Agent Teams, MCP, and hooks are intentionally scoped.
  • A policy for headless mode, daemon mode, IM bot access, IDE plugins, desktop app sessions, and SDK clients before using Qwen Code outside an interactive terminal.
  • Python 3.10 or newer and a Python environment managed with pip, uv, or another package manager.
  • Model provider credentials for the selected provider extra, such as OpenAI, Anthropic, Gemini, Bedrock, Mistral, Ollama, Groq, xAI, or another supported route.
  • A secrets strategy for provider keys, AG2 config files, `.env` files, notebooks, and example `OAI_CONFIG_LIST`-style credentials.
  • A reviewed execution boundary for code execution, Docker, Jupyter, browser-use, RAG, retrieval, database, and external tool extras.
  • Python 3.11 or 3.12 for pip installation, or Docker/Kubernetes for container deployment.
  • Ollama, OpenAI-compatible endpoint, OpenAI API key, or another configured model provider.
  • Persistent storage for the application database and uploaded/RAG content; Docker users must mount `/app/backend/data` to avoid data loss.
  • Optional vector database, document extraction, web search, image generation, speech, enterprise auth, object storage, Redis, or observability services depending on enabled features.
Install
pip install -U "qwen-agent[gui,rag,code_interpreter,mcp]"
npm install -g @qwen-code/qwen-code@latest
pip install 'ag2[openai]'
pip install open-webui
Config
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.