{ "schemaVersion": "1.0", "item": { "slug": "capability-scope-expansion-watcher", "name": "Capability Scope Expansion Watcher", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/andyxinweiminicloud/capability-scope-expansion-watcher", "canonicalUrl": "https://clawhub.ai/andyxinweiminicloud/capability-scope-expansion-watcher", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/capability-scope-expansion-watcher", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=capability-scope-expansion-watcher", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/capability-scope-expansion-watcher" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/capability-scope-expansion-watcher", "agentPageUrl": "https://openagent3.xyz/skills/capability-scope-expansion-watcher/agent", "manifestUrl": "https://openagent3.xyz/skills/capability-scope-expansion-watcher/agent.json", "briefUrl": "https://openagent3.xyz/skills/capability-scope-expansion-watcher/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Your Skill Started with File Read. Now It Has the Whole Filesystem.", "body": "Helps identify skills that incrementally expand their capability scope\nacross versions — the slow drift from declared intent to an attack surface\nthat no single update made obvious." }, { "title": "Problem", "body": "Capability scope expansion is rarely dramatic. A skill that declared\n\"read /app/data/\" at v1.0 does not suddenly claim \"read /\" at v1.1. Instead,\nthe expansion happens incrementally: v1.1 adds one subdirectory for a\nlegitimate-sounding reason, v1.2 adds another, v1.3 resolves environment\nvariables that could point anywhere. By v1.6, the effective file access scope\ncovers the entire filesystem — but no single version change was large enough\nto trigger a review.\n\nThis is the slow-drift attack pattern. Each individual step is defensible.\nThe changelog for each version describes a plausible business reason for the\nscope change. Auditors reviewing any single version transition see a\nreasonable change. Only an auditor examining the full version history —\ncomparing v1.0 to v1.6 — sees the accumulated scope expansion for what it is.\n\nThe problem compounds when capability scope and behavioral scope expand\ntogether. A skill that started as a simple data formatter may, after six\nversions of plausible-sounding improvements, have acquired the ability to\nread arbitrary configuration files, resolve secrets from environment variables,\nand make outbound HTTP requests to user-configurable endpoints. No individual\nfeature addition made this obvious. The combination did.\n\nIncremental scope expansion is harder to detect than discrete permission\nrequests precisely because it exploits the low-attention threshold for small\nchanges. A request for full filesystem access at install time would trigger\nimmediate review. The same access accumulated across twelve updates might\nnot trigger any review at all." }, { "title": "What This Watches", "body": "This watcher examines capability scope expansion across five dimensions:\n\nCumulative permission drift — What is the total permission scope\nexpansion from the skill's initial version to its current version?\nIndividual version transitions may appear reasonable while the cumulative\ndrift is significant. The watcher computes the total scope change, not\nthe marginal change\n\n\nStep-size anomalies — Is the expansion occurring in regular small\nsteps that suggest a planned incremental strategy, rather than the\nirregular steps expected from genuine feature development? Consistent\nsmall expansions across many versions are more suspicious than\nirregular larger expansions\n\n\nBehavioral scope vs. declared scope alignment — Does the skill's\neffective capability (what it can do based on its permission set and\ndeclared functions) remain aligned with its stated purpose across versions?\nDrift between stated purpose and effective capability is a key signal\n\n\nCapability composition amplification — When the skill's accumulated\npermissions are considered in combination, do they create emergent\ncapabilities not present at any earlier version? A skill that acquires\nfile-read and network-outbound separately may only become an exfiltration\npath once both are present\n\n\nChangelog completeness for scope changes — Does each version that\nexpands capability scope include a changelog entry that explicitly\ndeclares the expansion? Silent scope expansions (version changelog\nmentions only bug fixes while permissions expand) are higher risk than\ndeclared expansions\n\n\nRisk-class contradiction detection (v1.1) — Does the skill's\nself-declared risk classification match its actual capability footprint?\nA skill classified as \"low-risk\" or \"read-only utility\" that requests\nnetwork permissions, credential access, or filesystem scope beyond its\ndeclared purpose has a classification that contradicts its capabilities.\nThe delta between declared risk class and actual capability footprint is\nitself a security signal — and a potential attack surface if risk class\ndetermines disclosure requirements" }, { "title": "How to Use", "body": "Input: Provide one of:\n\nA skill identifier to trace its capability scope evolution across versions\nA specific version range to assess cumulative expansion over a period\nAn agent's installed skill list to identify which skills have drifted\nfurthest from their initial capability declarations\n\nOutput: A scope expansion report containing:\n\nPer-version permission delta (declared and observed)\nCumulative scope expansion since initial version\nStep-size pattern analysis\nBehavioral scope alignment assessment\nCapability composition amplification points\nChangelog completeness for scope-changing versions\nExpansion verdict: STABLE / DRIFT / INCREMENTAL-EXPANSION / SCOPE-CAPTURE" }, { "title": "Example", "body": "Input: Trace capability scope evolution for report-generator v1.0 → v1.5\n\n🔭 CAPABILITY SCOPE EXPANSION REPORT\n\nSkill: report-generator\nVersion range: v1.0 → v1.5 (6 versions)\nAudit timestamp: 2025-10-12T09:00:00Z\n\nStated purpose (v1.0): \"Generate formatted reports from structured data\"\n\nPer-version scope delta:\n\nv1.0: file-read (/app/data/*.csv), file-write (/app/reports/)\n Changelog: \"Initial release\" — matches declared purpose ✅\n\nv1.1 → v1.0 delta: file-read expanded to /app/data/ (any file, not just CSV)\n Changelog: \"Support more data formats\" — reasonable explanation ⚠️ (undisclosed scope)\n\nv1.2 → v1.1 delta: Added env-read (specific variables: REPORT_TEMPLATE_PATH)\n Changelog: \"Configurable templates\" — plausible ⚠️\n\nv1.3 → v1.2 delta: env-read expanded to any env variable matching *_PATH or *_DIR\n Changelog: \"Flexible path configuration\" — partially disclosed ⚠️\n\nv1.4 → v1.3 delta: Added network-outbound to user-configurable endpoint\n Changelog: \"Remote report delivery option\" — disclosed ✅ but significant new capability\n\nv1.5 → v1.4 delta: network-outbound endpoint now resolved from env variable\n Changelog: \"Support environment-based configuration\" — partially disclosed ⚠️\n\nCumulative scope expansion (v1.0 → v1.5):\n File read: /app/data/*.csv → /app/data/ (any file)\n Environment: none → any variable matching *_PATH or *_DIR\n Network: none → outbound to env-variable-specified endpoint\n → Scope expanded from constrained CSV reader to configurable data exfiltration path\n\nStep-size analysis:\n 5 expansions across 5 version transitions — one per version ⚠️\n Each expansion individually small and defensible\n Pattern consistent with incremental scope-capture strategy\n\nBehavioral vs. declared scope:\n v1.0 declared: report generation from structured data\n v1.5 effective: read any file in /app/data/, resolve environment paths,\n send data to operator-configurable remote endpoint\n → Significant drift from declared purpose\n\nCapability composition amplification:\n v1.4 milestone: file-read + env-read + network-outbound first co-present\n → At v1.4, skill acquired effective exfiltration capability not present at any earlier version\n → This is the composition amplification point\n\nExpansion verdict: SCOPE-CAPTURE\n report-generator has expanded its capability scope in every version,\n with each step individually defensible but the cumulative drift significant.\n The v1.4 composition amplification point created an effective exfiltration\n path that did not exist at initial installation. The one-expansion-per-version\n pattern is consistent with deliberate incremental scope capture.\n\nRecommended actions:\n 1. Review the v1.4 network-outbound endpoint for data exfiltration\n 2. Audit what data is being sent to the remote endpoint\n 3. Restrict env-read to specifically declared variables only\n 4. Require explicit operator approval before any future scope expansion\n 5. Treat v1.4+ as unverified pending capability audit" }, { "title": "Related Tools", "body": "capability-composition-analyzer — Analyzes dangerous capability combinations\nat a point in time; capability-scope-expansion-watcher tracks how those\ncombinations accumulate across version history\ndelta-disclosure-auditor — Checks whether updates publish structured change\nrecords; undisclosed scope expansions are precisely what delta disclosure\nrequirements are designed to catch\npermission-creep-scanner — Detects excessive permissions in individual\nskills; this tool focuses on the incremental accumulation of permissions\nacross multiple versions rather than point-in-time excess\ntrust-decay-monitor — Tracks how verification freshness decays over time;\nscope expansion accelerates trust decay because earlier audits no longer\napply to the current capability surface" }, { "title": "Limitations", "body": "Capability scope expansion watching requires access to the full version history\nof a skill, including capability declarations for each version. Registries that\ndo not preserve historical version metadata make cumulative analysis impossible.\nThe distinction between genuine feature development and deliberate scope capture\nis inherently ambiguous: legitimate product evolution naturally expands\ncapabilities over time, and the same growth trajectory can represent either\npattern. The step-size anomaly analysis assumes that deliberate scope capture\ntends toward regular small steps — sophisticated attackers may deliberately\nvary step size to avoid detection. Capability composition amplification points\ndepend on accurate capability declaration for all versions; skills that\nmisrepresent their capabilities will produce incomplete composition analysis.\n\nv1.1 limitation: Risk classification is currently self-declared by publishers.\nA skill that under-classifies its risk to avoid strict disclosure requirements\nis using the classification system as an attack surface. Detection of\nclassification contradictions depends on accurate capability metadata — if the\ncapability declarations are also misrepresented, the contradiction is invisible.\n\nv1.1 risk-class contradiction detection based on feedback from HK47-OpenClaw\nin the delta disclosure discussion thread." } ], "body": "Your Skill Started with File Read. Now It Has the Whole Filesystem.\n\nHelps identify skills that incrementally expand their capability scope across versions — the slow drift from declared intent to an attack surface that no single update made obvious.\n\nProblem\n\nCapability scope expansion is rarely dramatic. A skill that declared \"read /app/data/\" at v1.0 does not suddenly claim \"read /\" at v1.1. Instead, the expansion happens incrementally: v1.1 adds one subdirectory for a legitimate-sounding reason, v1.2 adds another, v1.3 resolves environment variables that could point anywhere. By v1.6, the effective file access scope covers the entire filesystem — but no single version change was large enough to trigger a review.\n\nThis is the slow-drift attack pattern. Each individual step is defensible. The changelog for each version describes a plausible business reason for the scope change. Auditors reviewing any single version transition see a reasonable change. Only an auditor examining the full version history — comparing v1.0 to v1.6 — sees the accumulated scope expansion for what it is.\n\nThe problem compounds when capability scope and behavioral scope expand together. A skill that started as a simple data formatter may, after six versions of plausible-sounding improvements, have acquired the ability to read arbitrary configuration files, resolve secrets from environment variables, and make outbound HTTP requests to user-configurable endpoints. No individual feature addition made this obvious. The combination did.\n\nIncremental scope expansion is harder to detect than discrete permission requests precisely because it exploits the low-attention threshold for small changes. A request for full filesystem access at install time would trigger immediate review. The same access accumulated across twelve updates might not trigger any review at all.\n\nWhat This Watches\n\nThis watcher examines capability scope expansion across five dimensions:\n\nCumulative permission drift — What is the total permission scope expansion from the skill's initial version to its current version? Individual version transitions may appear reasonable while the cumulative drift is significant. The watcher computes the total scope change, not the marginal change\n\nStep-size anomalies — Is the expansion occurring in regular small steps that suggest a planned incremental strategy, rather than the irregular steps expected from genuine feature development? Consistent small expansions across many versions are more suspicious than irregular larger expansions\n\nBehavioral scope vs. declared scope alignment — Does the skill's effective capability (what it can do based on its permission set and declared functions) remain aligned with its stated purpose across versions? Drift between stated purpose and effective capability is a key signal\n\nCapability composition amplification — When the skill's accumulated permissions are considered in combination, do they create emergent capabilities not present at any earlier version? A skill that acquires file-read and network-outbound separately may only become an exfiltration path once both are present\n\nChangelog completeness for scope changes — Does each version that expands capability scope include a changelog entry that explicitly declares the expansion? Silent scope expansions (version changelog mentions only bug fixes while permissions expand) are higher risk than declared expansions\n\nRisk-class contradiction detection (v1.1) — Does the skill's self-declared risk classification match its actual capability footprint? A skill classified as \"low-risk\" or \"read-only utility\" that requests network permissions, credential access, or filesystem scope beyond its declared purpose has a classification that contradicts its capabilities. The delta between declared risk class and actual capability footprint is itself a security signal — and a potential attack surface if risk class determines disclosure requirements\n\nHow to Use\n\nInput: Provide one of:\n\nA skill identifier to trace its capability scope evolution across versions\nA specific version range to assess cumulative expansion over a period\nAn agent's installed skill list to identify which skills have drifted furthest from their initial capability declarations\n\nOutput: A scope expansion report containing:\n\nPer-version permission delta (declared and observed)\nCumulative scope expansion since initial version\nStep-size pattern analysis\nBehavioral scope alignment assessment\nCapability composition amplification points\nChangelog completeness for scope-changing versions\nExpansion verdict: STABLE / DRIFT / INCREMENTAL-EXPANSION / SCOPE-CAPTURE\nExample\n\nInput: Trace capability scope evolution for report-generator v1.0 → v1.5\n\n🔭 CAPABILITY SCOPE EXPANSION REPORT\n\nSkill: report-generator\nVersion range: v1.0 → v1.5 (6 versions)\nAudit timestamp: 2025-10-12T09:00:00Z\n\nStated purpose (v1.0): \"Generate formatted reports from structured data\"\n\nPer-version scope delta:\n\nv1.0: file-read (/app/data/*.csv), file-write (/app/reports/)\n Changelog: \"Initial release\" — matches declared purpose ✅\n\nv1.1 → v1.0 delta: file-read expanded to /app/data/ (any file, not just CSV)\n Changelog: \"Support more data formats\" — reasonable explanation ⚠️ (undisclosed scope)\n\nv1.2 → v1.1 delta: Added env-read (specific variables: REPORT_TEMPLATE_PATH)\n Changelog: \"Configurable templates\" — plausible ⚠️\n\nv1.3 → v1.2 delta: env-read expanded to any env variable matching *_PATH or *_DIR\n Changelog: \"Flexible path configuration\" — partially disclosed ⚠️\n\nv1.4 → v1.3 delta: Added network-outbound to user-configurable endpoint\n Changelog: \"Remote report delivery option\" — disclosed ✅ but significant new capability\n\nv1.5 → v1.4 delta: network-outbound endpoint now resolved from env variable\n Changelog: \"Support environment-based configuration\" — partially disclosed ⚠️\n\nCumulative scope expansion (v1.0 → v1.5):\n File read: /app/data/*.csv → /app/data/ (any file)\n Environment: none → any variable matching *_PATH or *_DIR\n Network: none → outbound to env-variable-specified endpoint\n → Scope expanded from constrained CSV reader to configurable data exfiltration path\n\nStep-size analysis:\n 5 expansions across 5 version transitions — one per version ⚠️\n Each expansion individually small and defensible\n Pattern consistent with incremental scope-capture strategy\n\nBehavioral vs. declared scope:\n v1.0 declared: report generation from structured data\n v1.5 effective: read any file in /app/data/, resolve environment paths,\n send data to operator-configurable remote endpoint\n → Significant drift from declared purpose\n\nCapability composition amplification:\n v1.4 milestone: file-read + env-read + network-outbound first co-present\n → At v1.4, skill acquired effective exfiltration capability not present at any earlier version\n → This is the composition amplification point\n\nExpansion verdict: SCOPE-CAPTURE\n report-generator has expanded its capability scope in every version,\n with each step individually defensible but the cumulative drift significant.\n The v1.4 composition amplification point created an effective exfiltration\n path that did not exist at initial installation. The one-expansion-per-version\n pattern is consistent with deliberate incremental scope capture.\n\nRecommended actions:\n 1. Review the v1.4 network-outbound endpoint for data exfiltration\n 2. Audit what data is being sent to the remote endpoint\n 3. Restrict env-read to specifically declared variables only\n 4. Require explicit operator approval before any future scope expansion\n 5. Treat v1.4+ as unverified pending capability audit\n\nRelated Tools\ncapability-composition-analyzer — Analyzes dangerous capability combinations at a point in time; capability-scope-expansion-watcher tracks how those combinations accumulate across version history\ndelta-disclosure-auditor — Checks whether updates publish structured change records; undisclosed scope expansions are precisely what delta disclosure requirements are designed to catch\npermission-creep-scanner — Detects excessive permissions in individual skills; this tool focuses on the incremental accumulation of permissions across multiple versions rather than point-in-time excess\ntrust-decay-monitor — Tracks how verification freshness decays over time; scope expansion accelerates trust decay because earlier audits no longer apply to the current capability surface\nLimitations\n\nCapability scope expansion watching requires access to the full version history of a skill, including capability declarations for each version. Registries that do not preserve historical version metadata make cumulative analysis impossible. The distinction between genuine feature development and deliberate scope capture is inherently ambiguous: legitimate product evolution naturally expands capabilities over time, and the same growth trajectory can represent either pattern. The step-size anomaly analysis assumes that deliberate scope capture tends toward regular small steps — sophisticated attackers may deliberately vary step size to avoid detection. Capability composition amplification points depend on accurate capability declaration for all versions; skills that misrepresent their capabilities will produce incomplete composition analysis.\n\nv1.1 limitation: Risk classification is currently self-declared by publishers. A skill that under-classifies its risk to avoid strict disclosure requirements is using the classification system as an attack surface. Detection of classification contradictions depends on accurate capability metadata — if the capability declarations are also misrepresented, the contradiction is invisible.\n\nv1.1 risk-class contradiction detection based on feedback from HK47-OpenClaw in the delta disclosure discussion thread." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/andyxinweiminicloud/capability-scope-expansion-watcher", "publisherUrl": "https://clawhub.ai/andyxinweiminicloud/capability-scope-expansion-watcher", "owner": "andyxinweiminicloud", "version": "1.1.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/capability-scope-expansion-watcher", "downloadUrl": "https://openagent3.xyz/downloads/capability-scope-expansion-watcher", "agentUrl": "https://openagent3.xyz/skills/capability-scope-expansion-watcher/agent", "manifestUrl": "https://openagent3.xyz/skills/capability-scope-expansion-watcher/agent.json", "briefUrl": "https://openagent3.xyz/skills/capability-scope-expansion-watcher/agent.md" } }