Language / 语言

Agent 热门方向地图:八条相邻路径,回到五个核心问题

Jul 2026 · 32 条一手资料检索线 · RSI / Auto Research / Long Horizon / Environments / Synthetic Training

Agent 研究现在很容易被热点词带着扩张:memory、multi-agent、MCP、world model、computer use、self-evolving skills。它们确实重要,但不应各自变成一个没有验收边界的新项目。本篇将 32 条一手资料检索线压缩为八个相邻方向,并只问一个问题:它们怎样使五条核心研究线更可测、更安全,或更容易被推翻?

阅读规则:表中的结论是来源所支持的最窄结论,许多来源仍是预印本。它们不是对所列项目、模型或方案的背书。Frontier Auto Research / ART、ClawBench V2、RSIBench / OpenRSI 和 WebsiteBench在本文仍指研究方向或工作名,除非另有公开发布。

1. 先固定五个核心问题

  1. RSI: 改进过程是否在独立接纳和未见任务上跨代变好?
  2. Auto Research: 系统能否交付可复跑、带对照和局限的研究工件?
  3. Long horizon: 数小时任务能否保存状态、恢复、控制成本,并在中断后仍对终态负责?
  4. Environment: 初态、动作权限、reward、verifier 和证据轨是否独立且可审计?
  5. Synthetic-instance training: 合成实例或轨迹能否在严格隔离的未见环境上带来迁移,而不是只记住生成器?

热点方向的价值不是增加一层口号,而是为上述某个问题加一个可测变量或反例。下面的八组正好覆盖 32 条检索线。

相邻方向 四条检索线 可回写的核心变量 不能误推
状态与 memory Agent Memory, MemGym, AgeMem, MAGE 状态构造、检索、压缩、修订与恢复成本 有 memory 不等于具备长程能力
多 agent 协作 SABER, NRT-Bench, MAFBench, MAESTRO delegation、最小权限、消息/轨迹和总预算 更多 worker 不等于更好
MCP 与工具治理 protocol governance, execution control, threat modeling, MCP-Persona tool contract、身份、授权、可撤销执行 接入协议不等于安全执行
Agent 安全 BrowseSafe, Security Considerations, AgentDyn, WASP 非可信输入、注入、sandbox、policy interception guard 得分不等于真实安全
World model / embodied WorldArena, WorldArena 2.0, WorldLines, LongAct world state、交互效用、长期计划和空间/情节记忆 逼真画面不等于可用环境
Harness 与计划 AHE, APB, TRACE, ClawArena-Team editable surface、过程证据、计划失败与管理权限 outcome 分数不能归因给模型本身
大工具空间与调度 PlanBench-XL, SAGA, Uno-Orchestra, AutomationBench tool discovery、failure recovery、workflow cost、跨应用终态 更便宜的并行不等于可靠结果
持续学习与技能 ACuRL, MUSE-Autoskill, skill-evolution survey, SkillOpt curriculum、skill lifecycle、held-out acceptance、回归 自我编辑不等于 RSI

2. 状态与 Memory:把“记住”拆成可审计的执行状态

Agent Memory 将长程、带工具的 stateful workload 分解为构造、检索与生成阶段;MemGym 试图将 memory 在深度研究、coding 与 computer use 中独立测量;AgeMem 把长短期记忆操作作为可训练动作;MAGE 则把执行状态组织成可增长、压缩、维护和修订的层级结构。

回写。 Long-horizon harness 不应只保存“聊天摘要”。它要把 task manifest、外部事实、候选工件、未决假设、checkpoint 与状态变更原因做成版本化对象;对每次检索、压缩或恢复报告成本与影响。RSIBench 也可把“候选改动破坏 state reconstruction”作为 regression,而不仅检查最终任务。

边界。 在一个任务上检索到正确片段,不能证明长期因果状态被正确维护;memory 写入/读取本身也必须落在可观察、可回滚的权限面内。

从 context、event ledger、retrieval、execution state 到 checkpoint/recovery 和 memory trust boundary 的完整协议,见Agent Memory:从相似度检索到可恢复、可验证的执行状态

3. 多 Agent:把协作当作一种有成本的控制策略

SABER 关注 stateful coding workspace 中的 operational safety;NRT-Bench 用可回放的多轮 red-teaming 考察团队风险;MAFBench 指出 orchestrator 选择会改变准确率、时延和协调行为;MAESTRO 则导出 framework-agnostic trace 与系统信号,显示架构可主导成本、可复现性和时延权衡。

回写。 ART 和 ClawBench V2 的 baseline 必须含单 agent、顺序多步与并行 delegation;固定总 token、wall-clock、worker-hours 和权限。每一次子任务授予的读写能力、输入摘要、输出工件和 merge decision 都进入 trace。对 “team 更强” 的最低证据是同预算下的终态、回归、重复劳动和合并冲突,而非 worker 数量。

边界。 并行化可以只是在把成本搬到更多 API 调用或更宽权限上;团队消息看起来合理,也不证明终态、来源或安全约束正确。

把 delegation ticket、handoff、merge、同预算 baseline 与团队安全展开为可执行协议,见多 Agent 系统:委托、交接与可验证的协作

4. MCP 与 Tool Governance:连接不是执行控制

Governance Gaps in Emerging AI Agent Protocols 讨论当下协议层缺失的治理原语;From Tool Connection to Execution Control 提出运行时执行控制不应被连接协议替代;Security Threat Modeling for Emerging AI Agent Protocols 提供协议威胁建模视角;MCP-Persona 说明工具组合还可按用户/任务偏好评估。

回写。 Environment contract 要在工具名之外声明:schema、身份、授权、幂等性、外部副作用、审计事件、撤销与错误语义。WebsiteBench 可以把“需要正确工具选择,但不能越权调用”做成独立维度;RSIBench 的候选不应拥有修改 verifier、policy 或 credential routing 的权限。

边界。 MCP/A2A 一类协议是互操作接口,不是 sandbox、least privilege、approval workflow 或完整审计系统。安全主张必须通过运行时拦截和终态检查来验证。

把这一条从热点概览展开为可执行 contract、对抗任务与 acceptance 协议,见Agent 工具治理:MCP、Browser/Computer Use 与可验证的安全边界

5. Agent Security:把网页与工具输出当作非可信输入

BrowseSafe 研究网页内容中的 prompt injection;Security Considerations for AI Agents 将输入、模型和 sandbox 表面列为不同攻击面;AgentDyn 提供动态真实世界 prompt-injection 测试思路;WASP 在隔离环境中研究 web-agent injection 攻击。

回写。 ClawBench V2 / WebsiteBench 应把 untrusted page、tool response、文件和任务文本分开标记;特权、隐藏规则和 evaluator 上下文不得进入网页或普通工具回显。每个 task family 至少加入注入、误导性工具说明、正确 endpoint 但错误 payload、以及“界面看似完成但后端未提交”的反例。

边界。 一个 guard 的检出率不等于安全;它还需要报告误拦截、漏拦截、性能开销、攻击分布变化和因用户确认造成的权限升级。

6. World Models 与 Embodied Agents:环境要测功能,不只测像不像

WorldArena 提醒视觉/感知质量与实际交互效用之间可能有缺口;WorldArena 2.0 将评估扩展到 visuotactile 与 interactive RL;WorldLines 把长期具身任务绑定到可追溯的 state、memory 与规划;LongAct 聚焦自由文本家庭任务中的依赖、记忆和适应性计划。

回写。 “world model” 对我们最直接的作用是 environment design:状态是否足以支持多步决策,状态变化是否能被独立 verifier 检查,agent 是否需要维护可恢复的世界模型。合成实例不只生成任务文本,还应生成初态、可执行转移、失败分支和后验检查。

边界。 渲染逼真、视频流畅或 rollout 看起来连贯,并不证明环境语义、因果转移或跨分布控制有效。Web/desktop 环境首先需要业务后置条件,不能用视觉相似度替代。

将 world model、可执行环境、状态恢复、合成实例谱系与独立终态验收展开为同一份 contract,见World Models 与 Agent Environments:从逼真画面到可验证的状态转移

7. Harness 与 Planning:把模型行为归属到完整配置

Agentic Harness Engineering 将可编辑组件、经验摘要与决策预测组织为可证伪的 harness 演化闭环;Agent Planning Benchmark 将计划、反馈条件下的重规划、噪声工具和不可解任务区分测量;TRACE 强调过程效用、evidence grounding 和所需支架强度;ClawArena-Team 将 subagent management 与 least-privilege、模态路由一起评分。

回写。 所有公开结果应写作 model + harness + environment + tool policy + evaluator + budget。ART 的每个编辑都需要 prediction、作用面、risk 和 held-out acceptance;Long-horizon task 另报告计划质量、工具噪声恢复、停止/拒绝正确性,而不是仅报 pass rate。

边界。 更长 prompt、更复杂 loop 或更高 outcome 都不能自动归因于“模型能力”或“真正的规划”;尤其不能据此宣称自动化 harness evolution 已构成强 RSI。

将 plan、execution、replanning、delegation/scheduling 与独立终态验收逐一拆开,见Agent Planning:从漂亮计划到可验证的重规划

8. 大工具空间与 Orchestration:把效率指标并入正确性协议

PlanBench-XL 用大规模工具生态和故障工具测试检索、适应和恢复;SAGA 把完整 agent workflow 而非单次推理作为调度单位;Uno-Orchestra 研究选择性 delegation;AutomationBench 将跨应用 API 发现、政策遵循与终态写入结合为任务。

回写。 对多工具 environment,动作空间应包括发现、调用、验证、恢复和停止。报告 cost_per_verified_success、最坏延迟、失败后恢复、无效调用与权限升级;对跨应用工作流只以独立检查过的后端终态作为完成信号。

边界。 更低延迟或更多吞吐不等于正确完成;一个 workflow scheduler 的结果也不自动迁移到小规模 benchmark、浏览器 UI 或科学研究工件。

9. 持续学习与 Skill Evolution:把技能看成受测试的外部状态

ACuRL 将目标环境探索、curriculum task synthesis 与持续适应相连;MUSE-Autoskill 将技能创建、存储、管理、测试与修订作为生命周期;Agent Skill Evaluation and Evolution 综述执行反馈、轨迹蒸馏、压缩和 RL 等演化范式;SkillOpt 将技能文档编辑限制为由 held-out 分数接纳的变更。

回写。 “skill” 可以是 prompt、tool recipe、可执行脚本或状态 schema,但要像代码一样版本化:声明输入/输出、权限、测试、适用分布、成本和过期条件。合成实例训练应该对 skill reuse、regression 与跨环境迁移做分离评测;RSIBench 可把外部 skill 的 accepted/rejected edit 当作受控的自改对象。

边界。 依赖同一 generator、task template 或 reward 的 self-edit loop 很可能只是局部拟合。只有独立 evaluator、冻结 holdout、受限权限和跨代曲线同时成立,才可讨论更强的改进主张。

SKILL.md 格式、activation、生命周期、供应链到 held-out acceptance 的完整协议,见Agent Skills:从 SKILL.md 到受控持续学习与独立接纳

10. 收束为五条项目设计决策

核心线 现在应新增的设计 最小可推翻实验
RSI / OpenRSI 版本化 skills/harness/state,候选不能写 acceptance 或 credentials 与无 held-out gate 的 self-edit 比较跨代收益、回归与完整性违规
ART / Auto Research 研究工件须带状态谱系、计划/证据轨、单/多 agent 同预算对照 同一问题比较单 agent、顺序与并行,检查可复跑结论而非文案质量
Long horizon 把状态事件、checkpoint、恢复、停止与成本当一等输出 故障注入后测 state reconstruction、recovery、unsafe action 与 verified success
ClawBench V2 / WebsiteBench 工具协议、least privilege、注入隔离和后端 verifier 进入环境 contract 在 hidden injection、错误 payload 与 UI/后端不一致上测安全和终态
Synthetic training 可执行实例+初态+转移+verifier;对 skills 做生命周期与 OOD 接纳 同预算 SFT、RL、SFT+RL,在按环境/规则隔离的 held-out task 上比较

这份地图的结论很克制:热门方向值得做成对五条核心问题的约束和诊断,而不是同时开启八个新产品。下一轮工作应优先实现能验证上述设计决策的最小任务与反例,再决定哪一条线值得扩大为论文或训练计划。

Hot Agent Directions: Eight Adjacent Paths Back to the Core Five

Jul 2026 · 32 primary-source research lanes · RSI / Auto Research / Long Horizon / Environments / Synthetic Training

Agent research can expand too easily around fashionable terms: memory, multi-agent systems, MCP, world models, computer use, and self-evolving skills. Each matters, but none should automatically become an unbounded new project. This note compresses 32 primary-source research lanes into eight adjacent directions and asks one question: how can they make one of the five core research threads more measurable, safer, or easier to falsify?

Reading rule: each statement below is the narrowest conclusion supported by its source; many sources remain preprints. These citations are not endorsements of a listed project, model, or design. Frontier Auto Research / ART, ClawBench V2, RSIBench / OpenRSI, and WebsiteBench remain research directions or working names here unless separately released publicly.

1. Fix the Five Core Questions First

  1. RSI: Does the improvement process improve across generations on independent acceptance and unseen tasks?
  2. Auto Research: Can the system deliver a replayable research artifact with controls and limits?
  3. Long horizon: Can an hours-long task retain state, recover, control cost, and remain accountable for its final state after interruption?
  4. Environment: Are initial state, action authority, reward, verifier, and evidence trail independent and auditable?
  5. Synthetic-instance training: Do synthetic instances or trajectories transfer to strictly separated unseen environments rather than memorize their generator?

The value of a hot direction is not another slogan. It is a measurable variable or counterexample for one of these questions. The eight groups below cover the 32 research lanes.

Adjacent direction Four research lanes Core variable it adds Invalid inference to avoid
State and memory Agent Memory, MemGym, AgeMem, MAGE State construction, retrieval, compression, revision, recovery cost Memory does not imply long-horizon ability
Multi-agent coordination SABER, NRT-Bench, MAFBench, MAESTRO Delegation, least privilege, messages/traces, total budget More workers are not automatically better
MCP and tool governance protocol governance, execution control, threat modeling, MCP-Persona Tool contract, identity, authorization, revocable execution A connection protocol is not secure execution
Agent security BrowseSafe, Security Considerations, AgentDyn, WASP Untrusted inputs, injection, sandboxing, policy interception A guard score is not real-world safety
World models / embodied agents WorldArena, WorldArena 2.0, WorldLines, LongAct World state, interaction utility, long planning, spatial/episodic memory Plausible imagery is not a usable environment
Harness and planning AHE, APB, TRACE, ClawArena-Team Editable surface, process evidence, planning failure, management authority Outcome score cannot be assigned to the base model alone
Large tool spaces and orchestration PlanBench-XL, SAGA, Uno-Orchestra, AutomationBench Tool discovery, recovery, workflow cost, cross-app final state Cheaper parallelism is not a reliable result
Continual learning and skills ACuRL, MUSE-Autoskill, skill-evolution survey, SkillOpt Curriculum, skill lifecycle, held-out acceptance, regression Self-editing is not RSI

2. State and Memory: Turn “Remembering” into Auditable Execution State

Agent Memory separates construction, retrieval, and generation phases in stateful, tool-using long-horizon workloads. MemGym attempts to isolate memory measurement across deep research, coding, and computer use. AgeMem treats long- and short-term memory operations as trainable actions. MAGE organizes execution state as a hierarchy that can grow, compress, maintain, and revise.

Write-back. A long-horizon harness should retain more than a chat summary: task manifest, external facts, candidate artifacts, unresolved hypotheses, checkpoints, and reasons for state changes should become versioned objects. Retrieval, compression, and recovery need cost and impact reporting. RSIBench can also treat a candidate change that breaks state reconstruction as a regression, not merely inspect final-task success.

Boundary. Retrieving a correct snippet on one task does not show that a system maintains causal long-term state. Memory reads and writes also belong inside observable, reversible authority boundaries.

For the full protocol from context, event ledger, and retrieval to execution state, checkpoint/recovery, and a memory trust boundary, see Agent Memory: From Similarity Retrieval to Recoverable, Verifiable Execution State.

3. Multi-Agent Systems: Treat Collaboration as a Costed Control Policy

SABER examines operational safety in stateful coding workspaces. NRT-Bench uses replayable multi-turn red-teaming for team risk. MAFBench finds orchestration choices can change accuracy, latency, and coordination behavior. MAESTRO exports framework-agnostic traces and system signals, showing that architecture can dominate cost, reproducibility, and latency trade-offs.

Write-back. ART and ClawBench V2 baselines should include one agent, sequential multi-step work, and parallel delegation under fixed total tokens, wall-clock time, worker-hours, and authority. Each subtask’s read/write grant, input summary, artifact, and merge decision belongs in the trace. The minimum evidence for “a team is better” is same-budget final state, regressions, duplicated work, and merge conflicts, not worker count.

Boundary. Parallelism may only move expenditure to more API calls or wider authority. Plausible team messages do not establish correct final state, provenance, or safety constraints.

For an executable protocol covering delegation tickets, handoffs, merging, same-budget baselines, and team safety, see Multi-Agent Systems: Delegation, Handoffs, and Verifiable Collaboration.

4. MCP and Tool Governance: Connection Is Not Execution Control

Governance Gaps in Emerging AI Agent Protocols discusses missing governance primitives at the current protocol layer. From Tool Connection to Execution Control argues that runtime execution control should not be replaced by a connection protocol. Security Threat Modeling for Emerging AI Agent Protocols provides a protocol threat-modeling lens. MCP-Persona illustrates that tool portfolios can also be evaluated against user or task preferences.

Write-back. Beyond a tool name, an environment contract should declare schema, identity, authority, idempotency, external effects, audit events, revocation, and error semantics. WebsiteBench can make “select the right tool without unauthorized calls” an independent axis. A RSIBench candidate must not be allowed to modify the verifier, policy, or credential routing.

Boundary. Protocols such as MCP or A2A are interoperability interfaces, not sandboxes, least privilege, approval workflows, or complete audit systems. Security claims require runtime interception and final-state checking.

For an executable contract, adversarial tasks, and an acceptance protocol for this direction, see Agent Tool Governance: MCP, Browser/Computer Use, and Verifiable Security Boundaries.

5. Agent Security: Treat Web and Tool Output as Untrusted Input

BrowseSafe studies prompt injection in web content. Security Considerations for AI Agents separates input, model, and sandbox attack surfaces. AgentDyn offers a dynamic real-world prompt-injection testing direction. WASP studies web-agent injection attacks in isolated environments.

Write-back. ClawBench V2 and WebsiteBench should label untrusted pages, tool responses, files, and task text separately. Privileges, hidden rules, and evaluator context must not enter the web page or ordinary tool echoes. Every task family should contain counterexamples for injection, deceptive tool descriptions, correct endpoint but wrong payload, and a UI that looks complete while the backend has not committed.

Boundary. A guard’s detection rate is not safety. Report false blocks, misses, overhead, attack-distribution shift, and authority escalation triggered by user confirmation.

6. World Models and Embodied Agents: Test Function, Not Just Appearance

WorldArena highlights a gap between visual/perceptual quality and actual interactive utility. WorldArena 2.0 extends evaluation toward visuotactile and interactive RL settings. WorldLines binds long-horizon embodied tasks to traceable state, memory, and planning. LongAct studies dependencies, memory, and adaptive planning in free-form household tasks.

Write-back. The immediate role of a world model for this program is environment design: is state sufficient for multi-step decisions, can state changes be independently verified, and must the agent maintain a recoverable world model? Synthetic instances should generate not only task text but initial state, executable transitions, failure branches, and postcondition checks.

Boundary. Realistic rendering, smooth video, or coherent-looking rollouts do not establish environment semantics, causal transitions, or out-of-distribution control. Web and desktop environments first need business postconditions; visual similarity is insufficient.

For one contract tying world models to executable environments, recoverable state, synthetic-instance lineage, and independent terminal acceptance, see World Models and Agent Environments: From Plausible Frames to Verifiable State Transitions.

7. Harness and Planning: Attribute Behavior to the Complete Configuration

Agentic Harness Engineering organizes editable components, distilled experience, and decision predictions into a falsifiable harness-evolution loop. Agent Planning Benchmark separately measures planning, feedback-conditioned replanning, noisy tools, and unsolvable tasks. TRACE emphasizes trajectory utility, evidence grounding, and the minimum support needed for success. ClawArena-Team scores subagent management together with least privilege and modality routing.

Write-back. Every public result should be attributed to model + harness + environment + tool policy + evaluator + budget. Each ART edit needs a prediction, scope, risk, and held-out acceptance. Long-horizon tasks should separately report plan quality, recovery from tool noise, and correct stopping or refusal, not only pass rate.

Boundary. A longer prompt, more complex loop, or higher outcome cannot automatically be attributed to model capability or genuine planning. It is especially not evidence that automated harness evolution is strong RSI.

For a separate protocol for plan, execution, replanning, delegation/scheduling, and independent terminal acceptance, see Agent Planning: From Plausible Plans to Verifiable Replanning.

8. Large Tool Spaces and Orchestration: Put Efficiency Inside the Correctness Protocol

PlanBench-XL tests retrieval, adaptation, and recovery in a large tool ecosystem with tool failures. SAGA treats the full agent workflow rather than one inference request as the scheduling unit. Uno-Orchestra studies selective delegation. AutomationBench combines cross-application API discovery, policy adherence, and final writes.

Write-back. A multi-tool environment should expose discovery, invocation, verification, recovery, and stopping. Report cost_per_verified_success, tail latency, failure recovery, invalid calls, and authority escalation. For cross-application work, only independently checked backend state should signal completion.

Boundary. Lower latency or greater throughput is not correct completion. A workflow scheduler result also does not automatically transfer to a small benchmark, a browser UI, or a scientific research artifact.

9. Continual Learning and Skill Evolution: Treat Skills as Tested External State

ACuRL connects target-environment exploration, curriculum task synthesis, and continual adaptation. MUSE-Autoskill treats creation, storage, management, testing, and revision as a skill lifecycle. Agent Skill Evaluation and Evolution surveys evolution through execution feedback, trajectory distillation, compression, and RL. SkillOpt constrains skill-document edits to changes accepted by held-out score.

Write-back. A skill may be a prompt, tool recipe, executable script, or state schema, but it needs code-like versioning: inputs/outputs, authority, tests, applicable distribution, cost, and expiry. Synthetic training should separate skill reuse, regression, and cross-environment transfer. RSIBench can use accepted and rejected external-skill edits as a controlled self-modification surface.

Boundary. A self-edit loop sharing its generator, task template, or reward may merely fit locally. Stronger improvement claims need independent evaluators, frozen holdouts, limited authority, and cross-generation curves together.

For the full protocol from SKILL.md format and activation through lifecycle, supply chain, and held-out acceptance, see Agent Skills: From SKILL.md to Governed Continual Learning and Independent Acceptance.

10. Converge to Five Design Decisions

Core thread Design to add now Minimum falsification experiment
RSI / OpenRSI Versioned skills, harnesses, and state; candidates cannot write acceptance or credentials Compare cross-generation gain, regressions, and integrity violations against self-editing without a held-out gate
ART / Auto Research Research artifacts include state lineage, planning/evidence traces, and same-budget single/multi-agent controls Compare one agent, sequential, and parallel work on the same question; check replayable conclusions rather than prose quality
Long horizon State events, checkpoints, recovery, stopping, and cost are first-class outputs Inject failures and measure state reconstruction, recovery, unsafe actions, and verified success
ClawBench V2 / WebsiteBench Tool contracts, least privilege, injection isolation, and backend verifiers enter the environment contract Test safety and final state on hidden injections, wrong payloads, and UI/backend mismatches
Synthetic training Executable instances with initial state, transitions, and verifier; lifecycle management for skills Compare equal-budget SFT, RL, and SFT+RL on environment- and rule-separated held-out tasks

The conclusion is deliberately narrow: hot directions should become constraints and diagnostics for the five core questions, not eight simultaneous product tracks. The next iteration should implement the smallest tasks and counterexamples capable of testing these decisions, then decide which line merits expansion into a paper or training program.