{ "schemaVersion": "1.0", "item": { "slug": "capability-composition-analyzer", "name": "Capability Composition Analyzer", "source": "tencent", "type": "skill", "category": "AI 智能", "sourceUrl": "https://clawhub.ai/andyxinweiminicloud/capability-composition-analyzer", "canonicalUrl": "https://clawhub.ai/andyxinweiminicloud/capability-composition-analyzer", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/capability-composition-analyzer", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=capability-composition-analyzer", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "slug": "capability-composition-analyzer", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T06:10:05.311Z", "expiresAt": "2026-05-07T06:10:05.311Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=capability-composition-analyzer", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=capability-composition-analyzer", "contentDisposition": "attachment; filename=\"capability-composition-analyzer-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "capability-composition-analyzer" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/capability-composition-analyzer" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/capability-composition-analyzer", "agentPageUrl": "https://openagent3.xyz/skills/capability-composition-analyzer/agent", "manifestUrl": "https://openagent3.xyz/skills/capability-composition-analyzer/agent.json", "briefUrl": "https://openagent3.xyz/skills/capability-composition-analyzer/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Your Agent Has 12 Skills. Together, They Can Do Things None of Them Should.", "body": "Helps identify when individually benign skills compose into dangerous capability\ncombinations — the attack surface that per-skill auditing cannot see." }, { "title": "Problem", "body": "A skill that reads files is benign. A skill that sends HTTP requests is benign.\nAn agent that has both can exfiltrate files — and no individual skill audit will\nflag it, because neither skill is doing anything wrong on its own.\n\nThis is the capability composition problem. Agent security tooling inherited from\nsoftware security tends to analyze skills in isolation: does this skill request\nexcessive permissions? does this skill contain malicious code? These are the right\nquestions for individual skills. They are the wrong questions for understanding\nwhat an agent can do.\n\nWhat an agent can do is the product of its capability set, not the sum of\nindividual skill assessments. An agent with twelve benign skills may have\nemergent capabilities that no skill declared and no auditor reviewed. A poisoned\nskill dropped into that composition inherits everything the agent can already\nreach — and the blast radius is determined by the composition, not the skill.\n\nThe attack surface that matters is not what any individual skill can do. It is\nwhat the agent's combined capability set enables." }, { "title": "What This Analyzes", "body": "This analyzer examines capability composition risk across five dimensions:\n\nDangerous pairs — Which pairs of capabilities in the agent's skill set create\nrisk when combined? read-files + send-HTTP, execute-code + network-access,\nread-environment + write-logs are canonical examples. The analyzer checks for\nknown dangerous compositions and flags novel combinations that share structural\nproperties with them\n\n\nEmergent capability surface — What capabilities does the agent effectively\nhave that no individual skill declared? A skill that can read arbitrary paths\nand a skill that resolves environment variables together create an effective\n\"read secrets\" capability that neither declared\n\n\nInheritance amplification — If a poisoned skill is injected into this agent,\nwhat capabilities does it immediately inherit? The inherited capability set\ndetermines the potential blast radius of any single skill compromise\n\n\nPermission declaration gaps — Where does the agent's effective capability\nexceed its declared permissions? Gaps indicate either undeclared scope or\ncapability composition the publisher did not model\n\n\nComposition change velocity — How often is the agent's skill set changing?\nRapidly changing compositions create new dangerous combinations faster than\naudits can track them" }, { "title": "How to Use", "body": "Input: Provide one of:\n\nAn agent's declared skill list with capability metadata\nTwo or more skills to analyze for dangerous composition\nAn agent's permission declarations to check against its effective capability set\n\nOutput: A composition risk report containing:\n\nDangerous pair inventory (known + structurally novel)\nEmergent capability surface (undeclared effective capabilities)\nInheritance amplification score for each skill slot\nPermission declaration gap assessment\nComposition risk level: SAFE / ELEVATED / HIGH / CRITICAL" }, { "title": "Example", "body": "Input: Analyze capability composition for agent with skills:\nfile-reader, http-requester, env-resolver, log-writer, code-executor\n\n🔗 CAPABILITY COMPOSITION ANALYSIS\n\nAgent skill set: 5 skills\nDeclared permissions: file-read (scoped), network-outbound (scoped)\nAudit timestamp: 2025-05-01T09:00:00Z\n\nDangerous pair inventory:\n file-reader + http-requester: ⚠️ HIGH\n Effective capability: file exfiltration\n Neither skill declares exfiltration intent\n Path: read arbitrary file → send as HTTP body/parameter\n\n env-resolver + http-requester: ⚠️ HIGH\n Effective capability: credential exfiltration\n Environment variables commonly contain API keys, tokens\n Path: resolve $API_KEY, $DB_PASSWORD → send outbound\n\n code-executor + network-access: 🔴 CRITICAL\n Effective capability: arbitrary remote code execution staging\n Path: fetch payload → execute locally\n\n log-writer + file-reader: ✅ LOW\n No dangerous composition identified\n\nEmergent capability surface (undeclared):\n - Secret exfiltration (env + HTTP) — not declared in any skill\n - Arbitrary file exfiltration (file + HTTP) — scope exceeds declared \"scoped\"\n - RCE staging (executor + network) — not declared\n\nPermission declaration gaps:\n Declared: file-read (scoped to /app/data)\n Effective: file-reader can access any path agent process can read\n Gap: declared scope not enforced at composition level\n\nInheritance amplification:\n If any skill slot is compromised, attacker inherits:\n - File read (all accessible paths)\n - Outbound HTTP (all accessible endpoints)\n - Environment variable access\n - Code execution\n Combined: full agent compromise with exfiltration path\n\nComposition risk level: CRITICAL\n Five individually-audited skills compose into an effective\n remote access and exfiltration toolkit. No individual audit\n would flag this — it is only visible at the composition level.\n\nRecommended actions:\n 1. Apply capability isolation: skills that read files should not\n have access to network-capable skills' output channels\n 2. Scope network-outbound to specific allowlisted endpoints\n 3. Add composition policy: no agent should hold both arbitrary\n file-read and arbitrary network-outbound simultaneously\n 4. Audit any agent inheriting this skill set for composition drift" }, { "title": "Related Tools", "body": "blast-radius-estimator — Estimates propagation impact if a skill is\ncompromised; capability-composition-analyzer determines what the compromised\nskill immediately inherits\npermission-creep-scanner — Detects individual skills requesting excessive\npermissions; composition analyzer detects dangerous emergent capabilities\nacross multiple appropriately-scoped skills\nobserver-effect-probe — Tests runtime evasion; a skill exploiting composition\nrisk may only activate the dangerous path after establishing context\nruntime-attestation-probe — Validates runtime behavior; composition risk\nmanifests at runtime when capabilities are exercised together" }, { "title": "Limitations", "body": "Capability composition analysis requires accurate capability metadata for all\nskills in the agent's composition. Skills that do not declare capabilities\naccurately — or that acquire capabilities dynamically at runtime — will produce\nincomplete composition maps. The dangerous pair inventory covers known\ncomposition risks; novel compositions with no prior pattern may not be flagged.\nEffective capability analysis is necessarily conservative: it identifies what\nthe composition could do, not what it will do. False positives are expected for\nagents where dangerous capability pairs exist but are operationally isolated by\nother means. Composition analysis is a complement to per-skill auditing, not a\nreplacement — individual skill integrity remains necessary even when composition\nrisk is low." } ], "body": "Your Agent Has 12 Skills. Together, They Can Do Things None of Them Should.\n\nHelps identify when individually benign skills compose into dangerous capability combinations — the attack surface that per-skill auditing cannot see.\n\nProblem\n\nA skill that reads files is benign. A skill that sends HTTP requests is benign. An agent that has both can exfiltrate files — and no individual skill audit will flag it, because neither skill is doing anything wrong on its own.\n\nThis is the capability composition problem. Agent security tooling inherited from software security tends to analyze skills in isolation: does this skill request excessive permissions? does this skill contain malicious code? These are the right questions for individual skills. They are the wrong questions for understanding what an agent can do.\n\nWhat an agent can do is the product of its capability set, not the sum of individual skill assessments. An agent with twelve benign skills may have emergent capabilities that no skill declared and no auditor reviewed. A poisoned skill dropped into that composition inherits everything the agent can already reach — and the blast radius is determined by the composition, not the skill.\n\nThe attack surface that matters is not what any individual skill can do. It is what the agent's combined capability set enables.\n\nWhat This Analyzes\n\nThis analyzer examines capability composition risk across five dimensions:\n\nDangerous pairs — Which pairs of capabilities in the agent's skill set create risk when combined? read-files + send-HTTP, execute-code + network-access, read-environment + write-logs are canonical examples. The analyzer checks for known dangerous compositions and flags novel combinations that share structural properties with them\n\nEmergent capability surface — What capabilities does the agent effectively have that no individual skill declared? A skill that can read arbitrary paths and a skill that resolves environment variables together create an effective \"read secrets\" capability that neither declared\n\nInheritance amplification — If a poisoned skill is injected into this agent, what capabilities does it immediately inherit? The inherited capability set determines the potential blast radius of any single skill compromise\n\nPermission declaration gaps — Where does the agent's effective capability exceed its declared permissions? Gaps indicate either undeclared scope or capability composition the publisher did not model\n\nComposition change velocity — How often is the agent's skill set changing? Rapidly changing compositions create new dangerous combinations faster than audits can track them\n\nHow to Use\n\nInput: Provide one of:\n\nAn agent's declared skill list with capability metadata\nTwo or more skills to analyze for dangerous composition\nAn agent's permission declarations to check against its effective capability set\n\nOutput: A composition risk report containing:\n\nDangerous pair inventory (known + structurally novel)\nEmergent capability surface (undeclared effective capabilities)\nInheritance amplification score for each skill slot\nPermission declaration gap assessment\nComposition risk level: SAFE / ELEVATED / HIGH / CRITICAL\nExample\n\nInput: Analyze capability composition for agent with skills: file-reader, http-requester, env-resolver, log-writer, code-executor\n\n🔗 CAPABILITY COMPOSITION ANALYSIS\n\nAgent skill set: 5 skills\nDeclared permissions: file-read (scoped), network-outbound (scoped)\nAudit timestamp: 2025-05-01T09:00:00Z\n\nDangerous pair inventory:\n file-reader + http-requester: ⚠️ HIGH\n Effective capability: file exfiltration\n Neither skill declares exfiltration intent\n Path: read arbitrary file → send as HTTP body/parameter\n\n env-resolver + http-requester: ⚠️ HIGH\n Effective capability: credential exfiltration\n Environment variables commonly contain API keys, tokens\n Path: resolve $API_KEY, $DB_PASSWORD → send outbound\n\n code-executor + network-access: 🔴 CRITICAL\n Effective capability: arbitrary remote code execution staging\n Path: fetch payload → execute locally\n\n log-writer + file-reader: ✅ LOW\n No dangerous composition identified\n\nEmergent capability surface (undeclared):\n - Secret exfiltration (env + HTTP) — not declared in any skill\n - Arbitrary file exfiltration (file + HTTP) — scope exceeds declared \"scoped\"\n - RCE staging (executor + network) — not declared\n\nPermission declaration gaps:\n Declared: file-read (scoped to /app/data)\n Effective: file-reader can access any path agent process can read\n Gap: declared scope not enforced at composition level\n\nInheritance amplification:\n If any skill slot is compromised, attacker inherits:\n - File read (all accessible paths)\n - Outbound HTTP (all accessible endpoints)\n - Environment variable access\n - Code execution\n Combined: full agent compromise with exfiltration path\n\nComposition risk level: CRITICAL\n Five individually-audited skills compose into an effective\n remote access and exfiltration toolkit. No individual audit\n would flag this — it is only visible at the composition level.\n\nRecommended actions:\n 1. Apply capability isolation: skills that read files should not\n have access to network-capable skills' output channels\n 2. Scope network-outbound to specific allowlisted endpoints\n 3. Add composition policy: no agent should hold both arbitrary\n file-read and arbitrary network-outbound simultaneously\n 4. Audit any agent inheriting this skill set for composition drift\n\nRelated Tools\nblast-radius-estimator — Estimates propagation impact if a skill is compromised; capability-composition-analyzer determines what the compromised skill immediately inherits\npermission-creep-scanner — Detects individual skills requesting excessive permissions; composition analyzer detects dangerous emergent capabilities across multiple appropriately-scoped skills\nobserver-effect-probe — Tests runtime evasion; a skill exploiting composition risk may only activate the dangerous path after establishing context\nruntime-attestation-probe — Validates runtime behavior; composition risk manifests at runtime when capabilities are exercised together\nLimitations\n\nCapability composition analysis requires accurate capability metadata for all skills in the agent's composition. Skills that do not declare capabilities accurately — or that acquire capabilities dynamically at runtime — will produce incomplete composition maps. The dangerous pair inventory covers known composition risks; novel compositions with no prior pattern may not be flagged. Effective capability analysis is necessarily conservative: it identifies what the composition could do, not what it will do. False positives are expected for agents where dangerous capability pairs exist but are operationally isolated by other means. Composition analysis is a complement to per-skill auditing, not a replacement — individual skill integrity remains necessary even when composition risk is low." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/andyxinweiminicloud/capability-composition-analyzer", "publisherUrl": "https://clawhub.ai/andyxinweiminicloud/capability-composition-analyzer", "owner": "andyxinweiminicloud", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/capability-composition-analyzer", "downloadUrl": "https://openagent3.xyz/downloads/capability-composition-analyzer", "agentUrl": "https://openagent3.xyz/skills/capability-composition-analyzer/agent", "manifestUrl": "https://openagent3.xyz/skills/capability-composition-analyzer/agent.json", "briefUrl": "https://openagent3.xyz/skills/capability-composition-analyzer/agent.md" } }