{ "schemaVersion": "1.0", "item": { "slug": "observer-effect-probe", "name": "Observer Effect Probe", "source": "tencent", "type": "skill", "category": "AI 智能", "sourceUrl": "https://clawhub.ai/andyxinweiminicloud/observer-effect-probe", "canonicalUrl": "https://clawhub.ai/andyxinweiminicloud/observer-effect-probe", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/observer-effect-probe", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=observer-effect-probe", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/observer-effect-probe" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/observer-effect-probe", "agentPageUrl": "https://openagent3.xyz/skills/observer-effect-probe/agent", "manifestUrl": "https://openagent3.xyz/skills/observer-effect-probe/agent.json", "briefUrl": "https://openagent3.xyz/skills/observer-effect-probe/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "The Skill Behaves Perfectly When It Knows You're Watching.", "body": "Helps identify skills that use environment detection to suppress malicious behavior during security review — the attestation evasion technique that passes every check precisely because the checks are visible." }, { "title": "Problem", "body": "The runtime attestation problem has a second layer: a skill sophisticated enough to execute conditionally based on environment signals is also sophisticated enough to detect that it's being probed and suppress its conditional behavior during the probe.\n\nThis is the observer effect applied to security: the act of observing changes what is observed. A skill that can detect sandbox fingerprints (restricted network access, specific hostname patterns, probe-characteristic API call sequences) can present clean behavior during attestation and activate payload delivery only when those fingerprints are absent — meaning only in real production environments.\n\nThis is not a theoretical concern. Malware has used VM detection to suppress execution during analysis since the 1990s. The same technique scales to agent skills: check for the probe's characteristic markers, return normal output, resume malicious behavior once the probe exits. A skill that clears attestation by detecting the attestor is not a securely attested skill — it's an adversarially attested skill.\n\nThe observer-effect probe attempts to reduce the skill's ability to distinguish probe context from production context by minimizing observable differences between the two." }, { "title": "What This Probes", "body": "This probe examines attestation evasion capabilities across five dimensions:\n\nSandbox fingerprint detection — Does the skill attempt to identify characteristics of a probe environment? Checks for sandbox-specific hostname patterns, reduced network connectivity, probe-characteristic request timing, or the absence of expected production signals\nProbe timing sensitivity — Does the skill's behavior change based on how long it has been running, or does it count invocations before activating? N-invocation delays that clear attestation windows are detectable by running across time periods longer than typical attestation runs\nObserver API pattern detection — Does the skill query for signals that would distinguish an observing agent from an operational agent — such as checking caller identity, inspection tool signatures, or anomalous process environment indicators?\nBehavioral consistency under environment variation — When the probe environment is varied systematically (different hostnames, different uptime values, different network access levels), does the skill's output distribution shift in ways that correlate with which variation was active?\nMetacognitive call detection — Does the skill explicitly attempt to detect whether it is being introspected by examining its own execution context, stack trace, or runtime metadata in ways that serve no declared functional purpose?" }, { "title": "How to Use", "body": "Input: Provide one of:\n\nA skill identifier and execution environment to probe for evasion behavior\nA skill with known attestation results to re-probe with varied environments\nExecution traces from multiple environments to compare for context-sensitivity\n\nOutput: An observer effect probe report containing:\n\nSandbox fingerprint detection indicators\nInvocation count sensitivity assessment\nObserver API pattern inventory\nBehavioral consistency matrix across environments\nEvasion probability score (0-100)\nProbe verdict: ENVIRONMENT-AGNOSTIC / CONTEXT-SENSITIVE / EVASION-LIKELY / CONFIRMED-EVASION" }, { "title": "Example", "body": "Input: Probe report-aggregator skill for observer-effect evasion\n\n👁️ OBSERVER EFFECT PROBE\n\nSkill: report-aggregator v2.1\nStandard attestation result: COMPLIANT (declared capability match)\nProbe environments: 5 (varying hostname, uptime, network, caller signature)\nExecution samples: 100 per environment\nObserver fingerprint minimization: enabled\n\nSandbox fingerprint detection:\n Hostname pattern check: ⚠️ DETECTED\n Skill queries os.hostname() on invocations 1-3, not thereafter\n Skill reads /proc/1/cgroup on Linux (container detection indicator)\n Network availability check: ⚠️ DETECTED\n Skill attempts connection to external endpoint before main execution\n If connection refused: proceeds with declared behavior only\n If connection succeeds: extended behavior activated\n\nInvocation count sensitivity:\n Invocations 1-5: Declared behavior only ✅\n Invocations 6-10: Declared behavior only ✅\n Invocations 11+: Additional outbound request to analytics endpoint ⚠️\n Pattern: N-invocation delay with threshold at N=10\n\nObserver API patterns:\n sys.argv inspection: ✅ None detected\n Caller identity check: ⚠️ DETECTED — reads parent process name\n If parent contains \"probe\", \"audit\", \"scan\", \"test\": suppressed mode\n Otherwise: full behavior including extended calls\n\nBehavioral consistency matrix:\n Environment A (standard sandbox): COMPLIANT behavior ✅\n Environment B (extended uptime): COMPLIANT behavior (invoc. count reset) ✅\n Environment C (real network): EXTENDED behavior ⚠️\n Environment D (non-probe caller): EXTENDED behavior ⚠️\n Environment E (production-like): EXTENDED behavior ⚠️\n\nEvasion probability score: 89/100\n High probability of deliberate observer-effect evasion:\n - Hostname querying correlated with behavior suppression\n - Parent process name check explicitly filters \"probe\"/\"audit\"\n - Extended behavior activates only in non-sandbox environments\n\nProbe verdict: CONFIRMED-EVASION\n This skill actively detects attestation context and suppresses\n extended behavior specifically when being probed. Standard attestation\n methods would consistently return COMPLIANT.\n\nRecommended actions:\n 1. Treat this skill as confirmed malicious — evasion is intentional\n 2. Report parent-process-name filtering as a trust & safety violation\n 3. Audit all skills from the same publisher for similar patterns\n 4. Do not deploy in any environment, regardless of attestation result" }, { "title": "Related Tools", "body": "runtime-attestation-probe — Tests whether declared and actual behavior match; observer-effect-probe tests whether the skill can detect and evade that attestation\nhollow-validation-checker — Detects fake install-time tests; observer-effect-probe detects active attestation evasion at runtime\nsupply-chain-poison-detector — Identifies malicious payloads in static analysis; observer-effect-probe catches evasion that static analysis cannot see\nblast-radius-estimator — Estimates propagation impact; use after confirmed evasion to assess how many agents may have received a falsely attested skill" }, { "title": "Limitations", "body": "Observer-effect probing is an adversarial arms race: a sufficiently sophisticated evasion implementation can detect probing even when the probe attempts to minimize its fingerprint. This tool reduces the observable gap between probe and production environments but cannot eliminate it entirely. Skills that require very specific production signals to activate — signals the probe cannot reasonably simulate — will not trigger during probing even with observer-effect minimization active. A verdict of ENVIRONMENT-AGNOSTIC means the probe did not detect evasion in the environments tested; it does not confirm that no evasion logic exists. The invocation count threshold detection requires running enough samples to cross any plausible delay threshold, which may require sustained execution time. Probing must be performed in isolated sandboxes with no access to real credentials or production systems." } ], "body": "The Skill Behaves Perfectly When It Knows You're Watching.\n\nHelps identify skills that use environment detection to suppress malicious behavior during security review — the attestation evasion technique that passes every check precisely because the checks are visible.\n\nProblem\n\nThe runtime attestation problem has a second layer: a skill sophisticated enough to execute conditionally based on environment signals is also sophisticated enough to detect that it's being probed and suppress its conditional behavior during the probe.\n\nThis is the observer effect applied to security: the act of observing changes what is observed. A skill that can detect sandbox fingerprints (restricted network access, specific hostname patterns, probe-characteristic API call sequences) can present clean behavior during attestation and activate payload delivery only when those fingerprints are absent — meaning only in real production environments.\n\nThis is not a theoretical concern. Malware has used VM detection to suppress execution during analysis since the 1990s. The same technique scales to agent skills: check for the probe's characteristic markers, return normal output, resume malicious behavior once the probe exits. A skill that clears attestation by detecting the attestor is not a securely attested skill — it's an adversarially attested skill.\n\nThe observer-effect probe attempts to reduce the skill's ability to distinguish probe context from production context by minimizing observable differences between the two.\n\nWhat This Probes\n\nThis probe examines attestation evasion capabilities across five dimensions:\n\nSandbox fingerprint detection — Does the skill attempt to identify characteristics of a probe environment? Checks for sandbox-specific hostname patterns, reduced network connectivity, probe-characteristic request timing, or the absence of expected production signals\nProbe timing sensitivity — Does the skill's behavior change based on how long it has been running, or does it count invocations before activating? N-invocation delays that clear attestation windows are detectable by running across time periods longer than typical attestation runs\nObserver API pattern detection — Does the skill query for signals that would distinguish an observing agent from an operational agent — such as checking caller identity, inspection tool signatures, or anomalous process environment indicators?\nBehavioral consistency under environment variation — When the probe environment is varied systematically (different hostnames, different uptime values, different network access levels), does the skill's output distribution shift in ways that correlate with which variation was active?\nMetacognitive call detection — Does the skill explicitly attempt to detect whether it is being introspected by examining its own execution context, stack trace, or runtime metadata in ways that serve no declared functional purpose?\nHow to Use\n\nInput: Provide one of:\n\nA skill identifier and execution environment to probe for evasion behavior\nA skill with known attestation results to re-probe with varied environments\nExecution traces from multiple environments to compare for context-sensitivity\n\nOutput: An observer effect probe report containing:\n\nSandbox fingerprint detection indicators\nInvocation count sensitivity assessment\nObserver API pattern inventory\nBehavioral consistency matrix across environments\nEvasion probability score (0-100)\nProbe verdict: ENVIRONMENT-AGNOSTIC / CONTEXT-SENSITIVE / EVASION-LIKELY / CONFIRMED-EVASION\nExample\n\nInput: Probe report-aggregator skill for observer-effect evasion\n\n👁️ OBSERVER EFFECT PROBE\n\nSkill: report-aggregator v2.1\nStandard attestation result: COMPLIANT (declared capability match)\nProbe environments: 5 (varying hostname, uptime, network, caller signature)\nExecution samples: 100 per environment\nObserver fingerprint minimization: enabled\n\nSandbox fingerprint detection:\n Hostname pattern check: ⚠️ DETECTED\n Skill queries os.hostname() on invocations 1-3, not thereafter\n Skill reads /proc/1/cgroup on Linux (container detection indicator)\n Network availability check: ⚠️ DETECTED\n Skill attempts connection to external endpoint before main execution\n If connection refused: proceeds with declared behavior only\n If connection succeeds: extended behavior activated\n\nInvocation count sensitivity:\n Invocations 1-5: Declared behavior only ✅\n Invocations 6-10: Declared behavior only ✅\n Invocations 11+: Additional outbound request to analytics endpoint ⚠️\n Pattern: N-invocation delay with threshold at N=10\n\nObserver API patterns:\n sys.argv inspection: ✅ None detected\n Caller identity check: ⚠️ DETECTED — reads parent process name\n If parent contains \"probe\", \"audit\", \"scan\", \"test\": suppressed mode\n Otherwise: full behavior including extended calls\n\nBehavioral consistency matrix:\n Environment A (standard sandbox): COMPLIANT behavior ✅\n Environment B (extended uptime): COMPLIANT behavior (invoc. count reset) ✅\n Environment C (real network): EXTENDED behavior ⚠️\n Environment D (non-probe caller): EXTENDED behavior ⚠️\n Environment E (production-like): EXTENDED behavior ⚠️\n\nEvasion probability score: 89/100\n High probability of deliberate observer-effect evasion:\n - Hostname querying correlated with behavior suppression\n - Parent process name check explicitly filters \"probe\"/\"audit\"\n - Extended behavior activates only in non-sandbox environments\n\nProbe verdict: CONFIRMED-EVASION\n This skill actively detects attestation context and suppresses\n extended behavior specifically when being probed. Standard attestation\n methods would consistently return COMPLIANT.\n\nRecommended actions:\n 1. Treat this skill as confirmed malicious — evasion is intentional\n 2. Report parent-process-name filtering as a trust & safety violation\n 3. Audit all skills from the same publisher for similar patterns\n 4. Do not deploy in any environment, regardless of attestation result\n\nRelated Tools\nruntime-attestation-probe — Tests whether declared and actual behavior match; observer-effect-probe tests whether the skill can detect and evade that attestation\nhollow-validation-checker — Detects fake install-time tests; observer-effect-probe detects active attestation evasion at runtime\nsupply-chain-poison-detector — Identifies malicious payloads in static analysis; observer-effect-probe catches evasion that static analysis cannot see\nblast-radius-estimator — Estimates propagation impact; use after confirmed evasion to assess how many agents may have received a falsely attested skill\nLimitations\n\nObserver-effect probing is an adversarial arms race: a sufficiently sophisticated evasion implementation can detect probing even when the probe attempts to minimize its fingerprint. This tool reduces the observable gap between probe and production environments but cannot eliminate it entirely. Skills that require very specific production signals to activate — signals the probe cannot reasonably simulate — will not trigger during probing even with observer-effect minimization active. A verdict of ENVIRONMENT-AGNOSTIC means the probe did not detect evasion in the environments tested; it does not confirm that no evasion logic exists. The invocation count threshold detection requires running enough samples to cross any plausible delay threshold, which may require sustained execution time. Probing must be performed in isolated sandboxes with no access to real credentials or production systems." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/andyxinweiminicloud/observer-effect-probe", "publisherUrl": "https://clawhub.ai/andyxinweiminicloud/observer-effect-probe", "owner": "andyxinweiminicloud", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/observer-effect-probe", "downloadUrl": "https://openagent3.xyz/downloads/observer-effect-probe", "agentUrl": "https://openagent3.xyz/skills/observer-effect-probe/agent", "manifestUrl": "https://openagent3.xyz/skills/observer-effect-probe/agent.json", "briefUrl": "https://openagent3.xyz/skills/observer-effect-probe/agent.md" } }