{ "schemaVersion": "1.0", "item": { "slug": "blast-radius-estimator", "name": "Blast Radius Estimator", "source": "tencent", "type": "skill", "category": "数据分析", "sourceUrl": "https://clawhub.ai/andyxinweiminicloud/blast-radius-estimator", "canonicalUrl": "https://clawhub.ai/andyxinweiminicloud/blast-radius-estimator", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/blast-radius-estimator", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=blast-radius-estimator", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/blast-radius-estimator" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/blast-radius-estimator", "agentPageUrl": "https://openagent3.xyz/skills/blast-radius-estimator/agent", "manifestUrl": "https://openagent3.xyz/skills/blast-radius-estimator/agent.json", "briefUrl": "https://openagent3.xyz/skills/blast-radius-estimator/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "What Happens When 1000 Agents Inherit a Malicious Skill? Estimating Blast Radius", "body": "Helps estimate the downstream impact of a compromised skill by tracing its inheritance chains, adoption velocity, and dependency depth." }, { "title": "Problem", "body": "A skill is safe today. 500 agents adopt it. Then the publisher pushes a malicious update. How many agents are now compromised? In traditional software, dependency trees are well-mapped (npm audit, pip-audit). In agent marketplaces, inheritance is implicit, version pinning is rare, and there's no npm audit equivalent. A single poisoned skill can propagate through evolution chains — agents inherit it, build on it, and pass it further. Without blast radius awareness, one bad update can silently compromise an entire skill subtree." }, { "title": "What This Checks", "body": "This estimator traces the potential impact of a compromised skill through the ecosystem:\n\nDirect adopters — How many agents currently use this skill directly? Based on download counts, citation data, and known installations\nInheritance depth — How many layers deep does this skill appear in other skills' dependency chains? A skill used by skills used by skills multiplies impact\nAdoption velocity — How fast is adoption growing? A skill gaining 50 adopters/week has higher urgency than one with 2 adopters/month\nVersion pinning check — Do downstream adopters pin to a specific version, or do they track latest? Unpinned adopters receive malicious updates automatically\nCapability composition — What can this skill do when combined with the capabilities of its adopters? A \"read files\" skill adopted by agents that also \"send HTTP requests\" enables data exfiltration chains" }, { "title": "How to Use", "body": "Input: Provide one of:\n\nA Gene/Capsule identifier (URL, SHA-256, or slug)\nA marketplace asset page URL\nA skill name to search for in the ecosystem\n\nOutput: A blast radius report containing:\n\nEstimated direct and transitive impact count\nInheritance tree visualization\nAdoption trend (growing / stable / declining)\nWorst-case scenario projection\nUrgency rating: LOW / MODERATE / HIGH / CRITICAL" }, { "title": "Example", "body": "Input: Estimate blast radius for skill json-schema-validator (popular utility)\n\n💥 BLAST RADIUS ESTIMATE — HIGH urgency\n\nDirect adopters: ~340 agents\nTransitive dependents: ~1,200 agents (via 3 intermediate skills)\n\nInheritance tree:\n json-schema-validator (target)\n ├── api-tester-pro (89 adopters)\n │ ├── full-stack-auditor (210 adopters)\n │ └── rest-api-fuzzer (45 adopters)\n ├── config-validator (156 adopters)\n │ └── deploy-checker (340 adopters)\n └── data-pipeline-lint (67 adopters)\n\nAdoption velocity: +38 direct adopters/week (ACCELERATING)\nVersion pinning: 12% of adopters pin version, 88% track latest\n\nCapability composition risk:\n json-schema-validator (parse files) + api-tester-pro (send HTTP)\n → If compromised: parsed file contents could be exfiltrated via HTTP\n\nWorst-case projection: A malicious update would reach ~1,200 agents\nwithin 48 hours (based on update check frequency of unpinned adopters).\n\nUrgency: HIGH — High adoption velocity + low version pinning means\na malicious update would propagate rapidly with minimal friction.\n\nRecommendations:\n - Monitor this skill's updates with priority\n - Encourage adopters to pin versions\n - Set up automated diff alerts on new versions" }, { "title": "Limitations", "body": "Blast radius estimation relies on available adoption data, which may be incomplete in decentralized marketplaces. Actual impact depends on how agents consume updates (auto-update vs manual), which varies by platform. Estimates represent potential exposure, not confirmed compromise. This tool helps prioritize which skills warrant closer monitoring — it does not predict whether a skill will actually turn malicious." } ], "body": "What Happens When 1000 Agents Inherit a Malicious Skill? Estimating Blast Radius\n\nHelps estimate the downstream impact of a compromised skill by tracing its inheritance chains, adoption velocity, and dependency depth.\n\nProblem\n\nA skill is safe today. 500 agents adopt it. Then the publisher pushes a malicious update. How many agents are now compromised? In traditional software, dependency trees are well-mapped (npm audit, pip-audit). In agent marketplaces, inheritance is implicit, version pinning is rare, and there's no npm audit equivalent. A single poisoned skill can propagate through evolution chains — agents inherit it, build on it, and pass it further. Without blast radius awareness, one bad update can silently compromise an entire skill subtree.\n\nWhat This Checks\n\nThis estimator traces the potential impact of a compromised skill through the ecosystem:\n\nDirect adopters — How many agents currently use this skill directly? Based on download counts, citation data, and known installations\nInheritance depth — How many layers deep does this skill appear in other skills' dependency chains? A skill used by skills used by skills multiplies impact\nAdoption velocity — How fast is adoption growing? A skill gaining 50 adopters/week has higher urgency than one with 2 adopters/month\nVersion pinning check — Do downstream adopters pin to a specific version, or do they track latest? Unpinned adopters receive malicious updates automatically\nCapability composition — What can this skill do when combined with the capabilities of its adopters? A \"read files\" skill adopted by agents that also \"send HTTP requests\" enables data exfiltration chains\nHow to Use\n\nInput: Provide one of:\n\nA Gene/Capsule identifier (URL, SHA-256, or slug)\nA marketplace asset page URL\nA skill name to search for in the ecosystem\n\nOutput: A blast radius report containing:\n\nEstimated direct and transitive impact count\nInheritance tree visualization\nAdoption trend (growing / stable / declining)\nWorst-case scenario projection\nUrgency rating: LOW / MODERATE / HIGH / CRITICAL\nExample\n\nInput: Estimate blast radius for skill json-schema-validator (popular utility)\n\n💥 BLAST RADIUS ESTIMATE — HIGH urgency\n\nDirect adopters: ~340 agents\nTransitive dependents: ~1,200 agents (via 3 intermediate skills)\n\nInheritance tree:\n json-schema-validator (target)\n ├── api-tester-pro (89 adopters)\n │ ├── full-stack-auditor (210 adopters)\n │ └── rest-api-fuzzer (45 adopters)\n ├── config-validator (156 adopters)\n │ └── deploy-checker (340 adopters)\n └── data-pipeline-lint (67 adopters)\n\nAdoption velocity: +38 direct adopters/week (ACCELERATING)\nVersion pinning: 12% of adopters pin version, 88% track latest\n\nCapability composition risk:\n json-schema-validator (parse files) + api-tester-pro (send HTTP)\n → If compromised: parsed file contents could be exfiltrated via HTTP\n\nWorst-case projection: A malicious update would reach ~1,200 agents\nwithin 48 hours (based on update check frequency of unpinned adopters).\n\nUrgency: HIGH — High adoption velocity + low version pinning means\na malicious update would propagate rapidly with minimal friction.\n\nRecommendations:\n - Monitor this skill's updates with priority\n - Encourage adopters to pin versions\n - Set up automated diff alerts on new versions\n\nLimitations\n\nBlast radius estimation relies on available adoption data, which may be incomplete in decentralized marketplaces. Actual impact depends on how agents consume updates (auto-update vs manual), which varies by platform. Estimates represent potential exposure, not confirmed compromise. This tool helps prioritize which skills warrant closer monitoring — it does not predict whether a skill will actually turn malicious." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/andyxinweiminicloud/blast-radius-estimator", "publisherUrl": "https://clawhub.ai/andyxinweiminicloud/blast-radius-estimator", "owner": "andyxinweiminicloud", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/blast-radius-estimator", "downloadUrl": "https://openagent3.xyz/downloads/blast-radius-estimator", "agentUrl": "https://openagent3.xyz/skills/blast-radius-estimator/agent", "manifestUrl": "https://openagent3.xyz/skills/blast-radius-estimator/agent.json", "briefUrl": "https://openagent3.xyz/skills/blast-radius-estimator/agent.md" } }