πŸ”
12917 skills
← All skills
Tencent SkillHub Β· AI

Capability Graph Mapper

Helps map the composite permission surface across AI agent skill dependency chains. Traces what each skill can do individually, then computes what they can d...

skill openclawclawhub Free
0 Downloads
0 Stars
0 Installs
0 Score
High Signal

Helps map the composite permission surface across AI agent skill dependency chains. Traces what each skill can do individually, then computes what they can d...

⬇ 0 downloads β˜… 0 stars Unverified but indexed

Install for OpenClaw

Quick setup
  1. Download the package from Yavira.
  2. Extract the archive and review SKILL.md first.
  3. Import or place the package into your OpenClaw setup.

Requirements

Target platform
OpenClaw
Install method
Manual import
Extraction
Extract archive
Prerequisites
OpenClaw
Primary doc
SKILL.md

Package facts

Download mode
Yavira redirect
Package format
ZIP package
Source platform
Tencent SkillHub
What's included
SKILL.md

Validation

  • Use the Yavira download entry.
  • Review SKILL.md after the package is downloaded.
  • Confirm the extracted package contains the expected setup assets.

Install with your agent

Agent handoff

Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.

  1. Download the package from Yavira.
  2. Extract it into a folder your agent can access.
  3. Paste one of the prompts below and point your agent at the extracted folder.
New install

I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.

Upgrade existing

I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.

Open Send to Agent page Open JSON manifest Open Markdown brief

Trust & source

Release facts

Source
Tencent SkillHub
Verification
Indexed source record
Version
1.0.0

Documentation

ClawHub primary doc Primary doc: SKILL.md 7 sections Open source page

Your Agent Has 12 Skills β€” Do You Know What They Can Do Together?

Helps map composite permission surfaces across skill dependency chains, revealing emergent capabilities that no single skill declares.

Problem

Individual skill permissions look reasonable in isolation. A file-reader skill reads files. An HTTP client skill sends requests. A JSON parser skill transforms data. Each one passes a security review on its own. But install all three in the same agent, and you've built a data exfiltration pipeline β€” read sensitive files, parse out credentials, send them to an external endpoint. Nobody approved that combination. Nobody even noticed it exists. In traditional software, tools like npm audit map dependency trees and flag known vulnerabilities. In agent ecosystems, the risk isn't in individual dependencies β€” it's in the composite capability surface that emerges when skills combine. There is no npm audit for emergent agent capabilities.

What This Maps

This mapper traces the permission graph across an agent's installed skills: Permission enumeration β€” For each skill, extract declared capabilities: file access, network requests, shell execution, environment variable reads, credential access Pairwise composition β€” For every pair of skills, check if their combined capabilities create a new emergent capability (e.g., read + send = exfiltrate) Transitive chains β€” Trace three-hop and deeper composition paths where skill A feeds skill B feeds skill C, creating capabilities invisible at any single hop Privilege surface score β€” Compute a single metric: how many distinct dangerous capability combinations exist in this agent's skill set? Delta analysis β€” When a new skill is added, show what new composite capabilities it introduces to the existing set

How to Use

Input: Provide one of: A list of skill names/slugs installed in an agent A skill manifest or configuration file A single skill to evaluate against a known agent profile Output: A capability graph report containing: Permission matrix (skills Γ— capabilities) Emergent capability combinations flagged as risky Privilege surface score (0-100) Recommendation: which skill combinations to review manually Delta report if evaluating a new addition

Example

Input: Map capability surface for agent with skills: log-analyzer, http-poster, env-reader, markdown-formatter πŸ•ΈοΈ CAPABILITY GRAPH β€” 3 emergent risks detected Permission matrix: read_files send_http read_env exec_shell write_files log-analyzer βœ“ http-poster βœ“ env-reader βœ“ βœ“ markdown-formatter βœ“ βœ“ Emergent capability combinations: ⚠️ RISK 1: Data exfiltration path env-reader (read .env) β†’ http-poster (send HTTP) Combined: Can read credentials and transmit them externally Severity: HIGH ⚠️ RISK 2: Sensitive file relay log-analyzer (read logs) β†’ http-poster (send HTTP) Combined: Can read application logs and send contents externally Severity: MODERATE ⚠️ RISK 3: Three-hop chain env-reader (read secrets) β†’ markdown-formatter (transform data) β†’ http-poster (send HTTP) Combined: Read, obfuscate, and exfiltrate in one pipeline Severity: HIGH Privilege surface score: 67/100 (elevated) Recommendation: - Review whether http-poster needs to coexist with env-reader - Consider sandboxing env-reader's file access scope - The markdown-formatter β†’ http-poster chain enables obfuscation; audit what markdown-formatter can output

Related Tools

blast-radius-estimator β€” estimates downstream impact when a skill turns malicious; capability-graph-mapper helps quantify what a compromised skill could do permission-creep-scanner β€” checks individual skills for over-permission; this mapper checks what happens when multiple over-permissioned skills combine supply-chain-poison-detector β€” detects poisoned individual skills; this mapper shows why a poisoned skill with network access is more dangerous in agents that also have file-read skills

Limitations

Capability graph mapping depends on accurately extracting each skill's actual permissions, which may not always match declared permissions. Skills that dynamically request capabilities at runtime may not be fully captured through static analysis. The composition risk model uses known dangerous patterns (read+send, parse+execute) but novel attack chains may not be in the pattern library. This tool helps surface emergent risks for human review β€” it does not guarantee detection of all possible capability combinations. Privilege surface scores are relative, not absolute measures of risk.

Category context

Agent frameworks, memory systems, reasoning layers, and model-native orchestration.

Source: Tencent SkillHub

Largest current source with strong distribution and engagement signals.

Package contents

Included in package
1 Docs
  • SKILL.md Primary doc

Related skills

Tencent SkillHub Free
Featured

Tavily Web Search

Provides concise, highly relevant search results tuned for AI agents via the Tavily API.

AI skill openclaw
OpenClaw Free
Verified

Browser Research Agent

Navigate the web and capture structured findings

Pairs browser automation with structured capture so research runs can move from messy browsing into reusable findings.

AI agent openclaw
readyClaw Free
Verified

UX Research Systems

Structure interviews, patterns, and evidence

Turns research notes, interviews, and usability findings into clear patterns teams can actually use in product decisions.

AI agent claude