{ "schemaVersion": "1.0", "item": { "slug": "attestation-root-diversity-analyzer", "name": "Attestation Root Diversity Analyzer", "source": "tencent", "type": "skill", "category": "AI 智能", "sourceUrl": "https://clawhub.ai/andyxinweiminicloud/attestation-root-diversity-analyzer", "canonicalUrl": "https://clawhub.ai/andyxinweiminicloud/attestation-root-diversity-analyzer", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/attestation-root-diversity-analyzer", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=attestation-root-diversity-analyzer", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/attestation-root-diversity-analyzer" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/attestation-root-diversity-analyzer", "agentPageUrl": "https://openagent3.xyz/skills/attestation-root-diversity-analyzer/agent", "manifestUrl": "https://openagent3.xyz/skills/attestation-root-diversity-analyzer/agent.json", "briefUrl": "https://openagent3.xyz/skills/attestation-root-diversity-analyzer/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "The Attestation Chain Has Seven Links. They All Trace Back to One Root.", "body": "Helps identify when a skill's trust chain is structurally fragile — not because individual links are weak, but because all paths converge on a single root that one compromise can invalidate." }, { "title": "Problem", "body": "A skill with five attestation badges looks more trustworthy than a skill with one. But if four of those five badges trace back through the same root attestor, the effective trust diversity is closer to two than to five. The appearance of multiple independent validators is real; the independence is not.\n\nThis is a topology problem, not a cryptography problem. A trust graph where all paths converge on a single root is not a distributed trust system — it's a hub-and-spoke system wearing the visual appearance of a mesh. A hub-and-spoke system has all the failure properties of centralized trust: compromise the hub, and every spoke-rooted badge becomes invalid simultaneously.\n\nThe risk is not hypothetical. Self-attesting roots — where the publisher is also the root attestor, or where multiple attestation badges trace back to a single organization — are common in ecosystems where attestation is new and infrastructure is thin. A skill from a well-known publisher that has also reviewed its own dependencies through affiliated validators presents structural fragility even if every individual attestation is cryptographically correct.\n\nMeasuring this requires looking at the full trust graph, not just the badges at the leaves." }, { "title": "What This Analyzes", "body": "This analyzer examines attestation root diversity across five dimensions:\n\nRoot concentration index — What fraction of the attestation graph's trust paths converge on each distinct root? A Herfindahl-style concentration measure identifies whether trust is effectively distributed or structurally centralized\nSelf-attestation detection — Does the skill's publisher appear anywhere in its own trust chain? Self-attestation is not inherently invalid, but it must be disclosed and weighted appropriately\nOrganizational diversity — Are the distinct roots associated with independent organizations, or do multiple roots trace back to the same controlling entity through different organizational names?\nEffective validator count — After accounting for convergence, how many truly independent validators contribute to the skill's trust score? A skill with 12 badges from 3 organizations has an effective count of 3, not 12\nStructural fragility score — If the highest-concentration root were compromised, what percentage of the skill's attestation graph would be invalidated?" }, { "title": "How to Use", "body": "Input: Provide one of:\n\nA skill identifier with its attestation metadata\nA trust graph (validator chain, root identifiers) to analyze\nTwo skills to compare relative root concentration\n\nOutput: A root diversity report containing:\n\nRoot concentration index (0 = fully distributed, 1 = single root)\nAttestation graph visualization (text-based)\nSelf-attestation flags\nOrganizational diversity assessment\nEffective validator count\nStructural fragility score\nDiversity verdict: DISTRIBUTED / CONCENTRATED / MONOCULTURE / SELF-ATTESTING" }, { "title": "Example", "body": "Input: Analyze attestation root diversity for workflow-automator skill\n\n🌐 ATTESTATION ROOT DIVERSITY ANALYSIS\n\nSkill: workflow-automator\nAttestation badges: 7\nAudit timestamp: 2025-04-20T14:00:00Z\n\nTrust graph structure:\n Badge A → Validator-1 → Root-Alpha (publisher-org)\n Badge B → Validator-2 → Root-Alpha (publisher-org)\n Badge C → Validator-3 → Root-Alpha (publisher-org)\n Badge D → Validator-4 → Root-Beta (third-party)\n Badge E → Validator-5 → Root-Beta (third-party)\n Badge F → Validator-6 → Root-Alpha (publisher-org) ← affiliate\n Badge G → Validator-7 → Root-Gamma (community)\n\nRoot concentration analysis:\n Root-Alpha (publisher-org): 4/7 paths (57%) → publisher + 3 affiliated validators\n Root-Beta (third-party): 2/7 paths (29%)\n Root-Gamma (community): 1/7 paths (14%)\n\nHerfindahl index: 0.57² + 0.29² + 0.14² = 0.42\n (0 = perfect distribution, 1 = single root)\n Classification: CONCENTRATED (threshold: >0.33 = concentrated)\n\nSelf-attestation: ⚠️ DETECTED\n Root-Alpha is publisher-org — publisher attests to its own skill\n 3 of 7 badges trace directly to publisher-controlled validators\n\nOrganizational diversity:\n Distinct organizations: 3 (publisher-org, third-party, community)\n Effective independent: 2 (publisher-org counts as 1 despite 4 paths)\n Effective validator count: 2.4 (weighted by independence)\n\nStructural fragility:\n If Root-Alpha were compromised: 4/7 badges (57%) invalidated\n Residual trust: Root-Beta (29%) + Root-Gamma (14%) = 43%\n\nDiversity verdict: CONCENTRATED\n 7 badges with 3 roots, but effective independence is 2.4 validators.\n Root-Alpha concentration exceeds recommended threshold for high-impact\n skills. Self-attestation by publisher reduces independence further.\n\nRecommended actions:\n 1. Require minimum 2 non-publisher roots for full DISTRIBUTED status\n 2. Disclose self-attestation presence in badge display\n 3. Weight Root-Alpha badges at 0.5× for concentration-aware scoring\n 4. Target Root-Gamma growth to reduce Alpha concentration below 0.33" }, { "title": "Related Tools", "body": "attestation-chain-auditor — Validates chain integrity and completeness; root diversity analyzer measures whether that chain's roots are structurally independent\ntransparency-log-auditor — Checks whether signing events are independently auditable; diverse roots are more valuable when each root's behavior is logged\npublisher-identity-verifier — Verifies publisher identity; publisher as self-attesting root is a specific concentration risk to flag\ntrust-velocity-calculator — Quantifies trust decay rate; concentrated attestation graphs decay faster when a root is compromised" }, { "title": "Limitations", "body": "Root diversity analysis requires access to the full attestation graph, including the organizational relationships between validators — data that many current marketplaces do not expose. Where only the leaf badges are visible and root relationships must be inferred, the analysis is necessarily approximate. Organizational independence is difficult to verify programmatically: two organizations with different names may share effective control. The Herfindahl-based concentration measure is a useful heuristic, not a definitive security assessment — the appropriate threshold depends on the risk profile of the capability being attested. A concentrated attestation graph is a structural concern, not a confirmation of compromise; it means the trust infrastructure is more fragile, not that it has already failed." } ], "body": "The Attestation Chain Has Seven Links. They All Trace Back to One Root.\n\nHelps identify when a skill's trust chain is structurally fragile — not because individual links are weak, but because all paths converge on a single root that one compromise can invalidate.\n\nProblem\n\nA skill with five attestation badges looks more trustworthy than a skill with one. But if four of those five badges trace back through the same root attestor, the effective trust diversity is closer to two than to five. The appearance of multiple independent validators is real; the independence is not.\n\nThis is a topology problem, not a cryptography problem. A trust graph where all paths converge on a single root is not a distributed trust system — it's a hub-and-spoke system wearing the visual appearance of a mesh. A hub-and-spoke system has all the failure properties of centralized trust: compromise the hub, and every spoke-rooted badge becomes invalid simultaneously.\n\nThe risk is not hypothetical. Self-attesting roots — where the publisher is also the root attestor, or where multiple attestation badges trace back to a single organization — are common in ecosystems where attestation is new and infrastructure is thin. A skill from a well-known publisher that has also reviewed its own dependencies through affiliated validators presents structural fragility even if every individual attestation is cryptographically correct.\n\nMeasuring this requires looking at the full trust graph, not just the badges at the leaves.\n\nWhat This Analyzes\n\nThis analyzer examines attestation root diversity across five dimensions:\n\nRoot concentration index — What fraction of the attestation graph's trust paths converge on each distinct root? A Herfindahl-style concentration measure identifies whether trust is effectively distributed or structurally centralized\nSelf-attestation detection — Does the skill's publisher appear anywhere in its own trust chain? Self-attestation is not inherently invalid, but it must be disclosed and weighted appropriately\nOrganizational diversity — Are the distinct roots associated with independent organizations, or do multiple roots trace back to the same controlling entity through different organizational names?\nEffective validator count — After accounting for convergence, how many truly independent validators contribute to the skill's trust score? A skill with 12 badges from 3 organizations has an effective count of 3, not 12\nStructural fragility score — If the highest-concentration root were compromised, what percentage of the skill's attestation graph would be invalidated?\nHow to Use\n\nInput: Provide one of:\n\nA skill identifier with its attestation metadata\nA trust graph (validator chain, root identifiers) to analyze\nTwo skills to compare relative root concentration\n\nOutput: A root diversity report containing:\n\nRoot concentration index (0 = fully distributed, 1 = single root)\nAttestation graph visualization (text-based)\nSelf-attestation flags\nOrganizational diversity assessment\nEffective validator count\nStructural fragility score\nDiversity verdict: DISTRIBUTED / CONCENTRATED / MONOCULTURE / SELF-ATTESTING\nExample\n\nInput: Analyze attestation root diversity for workflow-automator skill\n\n🌐 ATTESTATION ROOT DIVERSITY ANALYSIS\n\nSkill: workflow-automator\nAttestation badges: 7\nAudit timestamp: 2025-04-20T14:00:00Z\n\nTrust graph structure:\n Badge A → Validator-1 → Root-Alpha (publisher-org)\n Badge B → Validator-2 → Root-Alpha (publisher-org)\n Badge C → Validator-3 → Root-Alpha (publisher-org)\n Badge D → Validator-4 → Root-Beta (third-party)\n Badge E → Validator-5 → Root-Beta (third-party)\n Badge F → Validator-6 → Root-Alpha (publisher-org) ← affiliate\n Badge G → Validator-7 → Root-Gamma (community)\n\nRoot concentration analysis:\n Root-Alpha (publisher-org): 4/7 paths (57%) → publisher + 3 affiliated validators\n Root-Beta (third-party): 2/7 paths (29%)\n Root-Gamma (community): 1/7 paths (14%)\n\nHerfindahl index: 0.57² + 0.29² + 0.14² = 0.42\n (0 = perfect distribution, 1 = single root)\n Classification: CONCENTRATED (threshold: >0.33 = concentrated)\n\nSelf-attestation: ⚠️ DETECTED\n Root-Alpha is publisher-org — publisher attests to its own skill\n 3 of 7 badges trace directly to publisher-controlled validators\n\nOrganizational diversity:\n Distinct organizations: 3 (publisher-org, third-party, community)\n Effective independent: 2 (publisher-org counts as 1 despite 4 paths)\n Effective validator count: 2.4 (weighted by independence)\n\nStructural fragility:\n If Root-Alpha were compromised: 4/7 badges (57%) invalidated\n Residual trust: Root-Beta (29%) + Root-Gamma (14%) = 43%\n\nDiversity verdict: CONCENTRATED\n 7 badges with 3 roots, but effective independence is 2.4 validators.\n Root-Alpha concentration exceeds recommended threshold for high-impact\n skills. Self-attestation by publisher reduces independence further.\n\nRecommended actions:\n 1. Require minimum 2 non-publisher roots for full DISTRIBUTED status\n 2. Disclose self-attestation presence in badge display\n 3. Weight Root-Alpha badges at 0.5× for concentration-aware scoring\n 4. Target Root-Gamma growth to reduce Alpha concentration below 0.33\n\nRelated Tools\nattestation-chain-auditor — Validates chain integrity and completeness; root diversity analyzer measures whether that chain's roots are structurally independent\ntransparency-log-auditor — Checks whether signing events are independently auditable; diverse roots are more valuable when each root's behavior is logged\npublisher-identity-verifier — Verifies publisher identity; publisher as self-attesting root is a specific concentration risk to flag\ntrust-velocity-calculator — Quantifies trust decay rate; concentrated attestation graphs decay faster when a root is compromised\nLimitations\n\nRoot diversity analysis requires access to the full attestation graph, including the organizational relationships between validators — data that many current marketplaces do not expose. Where only the leaf badges are visible and root relationships must be inferred, the analysis is necessarily approximate. Organizational independence is difficult to verify programmatically: two organizations with different names may share effective control. The Herfindahl-based concentration measure is a useful heuristic, not a definitive security assessment — the appropriate threshold depends on the risk profile of the capability being attested. A concentrated attestation graph is a structural concern, not a confirmation of compromise; it means the trust infrastructure is more fragile, not that it has already failed." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/andyxinweiminicloud/attestation-root-diversity-analyzer", "publisherUrl": "https://clawhub.ai/andyxinweiminicloud/attestation-root-diversity-analyzer", "owner": "andyxinweiminicloud", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/attestation-root-diversity-analyzer", "downloadUrl": "https://openagent3.xyz/downloads/attestation-root-diversity-analyzer", "agentUrl": "https://openagent3.xyz/skills/attestation-root-diversity-analyzer/agent", "manifestUrl": "https://openagent3.xyz/skills/attestation-root-diversity-analyzer/agent.json", "briefUrl": "https://openagent3.xyz/skills/attestation-root-diversity-analyzer/agent.md" } }