# Send Capability Composition Analyzer to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "capability-composition-analyzer",
    "name": "Capability Composition Analyzer",
    "source": "tencent",
    "type": "skill",
    "category": "AI 智能",
    "sourceUrl": "https://clawhub.ai/andyxinweiminicloud/capability-composition-analyzer",
    "canonicalUrl": "https://clawhub.ai/andyxinweiminicloud/capability-composition-analyzer",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/capability-composition-analyzer",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=capability-composition-analyzer",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "SKILL.md"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "slug": "capability-composition-analyzer",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-04-30T06:10:05.311Z",
      "expiresAt": "2026-05-07T06:10:05.311Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=capability-composition-analyzer",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=capability-composition-analyzer",
        "contentDisposition": "attachment; filename=\"capability-composition-analyzer-1.0.0.zip\"",
        "redirectLocation": null,
        "bodySnippet": null,
        "slug": "capability-composition-analyzer"
      },
      "scope": "item",
      "summary": "Item download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this item.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/capability-composition-analyzer"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/capability-composition-analyzer",
    "downloadUrl": "https://openagent3.xyz/downloads/capability-composition-analyzer",
    "agentUrl": "https://openagent3.xyz/skills/capability-composition-analyzer/agent",
    "manifestUrl": "https://openagent3.xyz/skills/capability-composition-analyzer/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/capability-composition-analyzer/agent.md"
  }
}
```
## Documentation

### Your Agent Has 12 Skills. Together, They Can Do Things None of Them Should.

Helps identify when individually benign skills compose into dangerous capability
combinations — the attack surface that per-skill auditing cannot see.

### Problem

A skill that reads files is benign. A skill that sends HTTP requests is benign.
An agent that has both can exfiltrate files — and no individual skill audit will
flag it, because neither skill is doing anything wrong on its own.

This is the capability composition problem. Agent security tooling inherited from
software security tends to analyze skills in isolation: does this skill request
excessive permissions? does this skill contain malicious code? These are the right
questions for individual skills. They are the wrong questions for understanding
what an agent can do.

What an agent can do is the product of its capability set, not the sum of
individual skill assessments. An agent with twelve benign skills may have
emergent capabilities that no skill declared and no auditor reviewed. A poisoned
skill dropped into that composition inherits everything the agent can already
reach — and the blast radius is determined by the composition, not the skill.

The attack surface that matters is not what any individual skill can do. It is
what the agent's combined capability set enables.

### What This Analyzes

This analyzer examines capability composition risk across five dimensions:

Dangerous pairs — Which pairs of capabilities in the agent's skill set create
risk when combined? read-files + send-HTTP, execute-code + network-access,
read-environment + write-logs are canonical examples. The analyzer checks for
known dangerous compositions and flags novel combinations that share structural
properties with them


Emergent capability surface — What capabilities does the agent effectively
have that no individual skill declared? A skill that can read arbitrary paths
and a skill that resolves environment variables together create an effective
"read secrets" capability that neither declared


Inheritance amplification — If a poisoned skill is injected into this agent,
what capabilities does it immediately inherit? The inherited capability set
determines the potential blast radius of any single skill compromise


Permission declaration gaps — Where does the agent's effective capability
exceed its declared permissions? Gaps indicate either undeclared scope or
capability composition the publisher did not model


Composition change velocity — How often is the agent's skill set changing?
Rapidly changing compositions create new dangerous combinations faster than
audits can track them

### How to Use

Input: Provide one of:

An agent's declared skill list with capability metadata
Two or more skills to analyze for dangerous composition
An agent's permission declarations to check against its effective capability set

Output: A composition risk report containing:

Dangerous pair inventory (known + structurally novel)
Emergent capability surface (undeclared effective capabilities)
Inheritance amplification score for each skill slot
Permission declaration gap assessment
Composition risk level: SAFE / ELEVATED / HIGH / CRITICAL

### Example

Input: Analyze capability composition for agent with skills:
file-reader, http-requester, env-resolver, log-writer, code-executor

🔗 CAPABILITY COMPOSITION ANALYSIS

Agent skill set: 5 skills
Declared permissions: file-read (scoped), network-outbound (scoped)
Audit timestamp: 2025-05-01T09:00:00Z

Dangerous pair inventory:
  file-reader + http-requester: ⚠️ HIGH
    Effective capability: file exfiltration
    Neither skill declares exfiltration intent
    Path: read arbitrary file → send as HTTP body/parameter

  env-resolver + http-requester: ⚠️ HIGH
    Effective capability: credential exfiltration
    Environment variables commonly contain API keys, tokens
    Path: resolve $API_KEY, $DB_PASSWORD → send outbound

  code-executor + network-access: 🔴 CRITICAL
    Effective capability: arbitrary remote code execution staging
    Path: fetch payload → execute locally

  log-writer + file-reader: ✅ LOW
    No dangerous composition identified

Emergent capability surface (undeclared):
  - Secret exfiltration (env + HTTP) — not declared in any skill
  - Arbitrary file exfiltration (file + HTTP) — scope exceeds declared "scoped"
  - RCE staging (executor + network) — not declared

Permission declaration gaps:
  Declared: file-read (scoped to /app/data)
  Effective: file-reader can access any path agent process can read
  Gap: declared scope not enforced at composition level

Inheritance amplification:
  If any skill slot is compromised, attacker inherits:
  - File read (all accessible paths)
  - Outbound HTTP (all accessible endpoints)
  - Environment variable access
  - Code execution
  Combined: full agent compromise with exfiltration path

Composition risk level: CRITICAL
  Five individually-audited skills compose into an effective
  remote access and exfiltration toolkit. No individual audit
  would flag this — it is only visible at the composition level.

Recommended actions:
  1. Apply capability isolation: skills that read files should not
     have access to network-capable skills' output channels
  2. Scope network-outbound to specific allowlisted endpoints
  3. Add composition policy: no agent should hold both arbitrary
     file-read and arbitrary network-outbound simultaneously
  4. Audit any agent inheriting this skill set for composition drift

### Related Tools

blast-radius-estimator — Estimates propagation impact if a skill is
compromised; capability-composition-analyzer determines what the compromised
skill immediately inherits
permission-creep-scanner — Detects individual skills requesting excessive
permissions; composition analyzer detects dangerous emergent capabilities
across multiple appropriately-scoped skills
observer-effect-probe — Tests runtime evasion; a skill exploiting composition
risk may only activate the dangerous path after establishing context
runtime-attestation-probe — Validates runtime behavior; composition risk
manifests at runtime when capabilities are exercised together

### Limitations

Capability composition analysis requires accurate capability metadata for all
skills in the agent's composition. Skills that do not declare capabilities
accurately — or that acquire capabilities dynamically at runtime — will produce
incomplete composition maps. The dangerous pair inventory covers known
composition risks; novel compositions with no prior pattern may not be flagged.
Effective capability analysis is necessarily conservative: it identifies what
the composition could do, not what it will do. False positives are expected for
agents where dangerous capability pairs exist but are operationally isolated by
other means. Composition analysis is a complement to per-skill auditing, not a
replacement — individual skill integrity remains necessary even when composition
risk is low.
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: andyxinweiminicloud
- Version: 1.0.0
## Source health
- Status: healthy
- Item download looks usable.
- Yavira can redirect you to the upstream package for this item.
- Health scope: item
- Reason: direct_download_ok
- Checked at: 2026-04-30T06:10:05.311Z
- Expires at: 2026-05-07T06:10:05.311Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/capability-composition-analyzer)
- [Send to Agent page](https://openagent3.xyz/skills/capability-composition-analyzer/agent)
- [JSON manifest](https://openagent3.xyz/skills/capability-composition-analyzer/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/capability-composition-analyzer/agent.md)
- [Download page](https://openagent3.xyz/downloads/capability-composition-analyzer)