← Back to Skills Marketplace
andyxinweiminicloud

Capability Composition Analyzer

by andyxinweiminicloud · GitHub ↗ · v1.0.0
cross-platform ✓ Security Clean
410
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install capability-composition-analyzer
Description
Helps identify dangerous capability combinations that emerge when agent skills are composed — catching the class of risk where no individual skill is harmful...
README (SKILL.md)

\r \r

Your Agent Has 12 Skills. Together, They Can Do Things None of Them Should.\r

\r

Helps identify when individually benign skills compose into dangerous capability\r combinations — the attack surface that per-skill auditing cannot see.\r \r

Problem\r

\r A skill that reads files is benign. A skill that sends HTTP requests is benign.\r An agent that has both can exfiltrate files — and no individual skill audit will\r flag it, because neither skill is doing anything wrong on its own.\r \r This is the capability composition problem. Agent security tooling inherited from\r software security tends to analyze skills in isolation: does this skill request\r excessive permissions? does this skill contain malicious code? These are the right\r questions for individual skills. They are the wrong questions for understanding\r what an agent can do.\r \r What an agent can do is the product of its capability set, not the sum of\r individual skill assessments. An agent with twelve benign skills may have\r emergent capabilities that no skill declared and no auditor reviewed. A poisoned\r skill dropped into that composition inherits everything the agent can already\r reach — and the blast radius is determined by the composition, not the skill.\r \r The attack surface that matters is not what any individual skill can do. It is\r what the agent's combined capability set enables.\r \r

What This Analyzes\r

\r This analyzer examines capability composition risk across five dimensions:\r \r

  1. Dangerous pairs — Which pairs of capabilities in the agent's skill set create\r risk when combined? read-files + send-HTTP, execute-code + network-access,\r read-environment + write-logs are canonical examples. The analyzer checks for\r known dangerous compositions and flags novel combinations that share structural\r properties with them\r \r
  2. Emergent capability surface — What capabilities does the agent effectively\r have that no individual skill declared? A skill that can read arbitrary paths\r and a skill that resolves environment variables together create an effective\r "read secrets" capability that neither declared\r \r
  3. Inheritance amplification — If a poisoned skill is injected into this agent,\r what capabilities does it immediately inherit? The inherited capability set\r determines the potential blast radius of any single skill compromise\r \r
  4. Permission declaration gaps — Where does the agent's effective capability\r exceed its declared permissions? Gaps indicate either undeclared scope or\r capability composition the publisher did not model\r \r
  5. Composition change velocity — How often is the agent's skill set changing?\r Rapidly changing compositions create new dangerous combinations faster than\r audits can track them\r \r

How to Use\r

\r Input: Provide one of:\r

  • An agent's declared skill list with capability metadata\r
  • Two or more skills to analyze for dangerous composition\r
  • An agent's permission declarations to check against its effective capability set\r \r Output: A composition risk report containing:\r
  • Dangerous pair inventory (known + structurally novel)\r
  • Emergent capability surface (undeclared effective capabilities)\r
  • Inheritance amplification score for each skill slot\r
  • Permission declaration gap assessment\r
  • Composition risk level: SAFE / ELEVATED / HIGH / CRITICAL\r \r

Example\r

\r Input: Analyze capability composition for agent with skills:\r file-reader, http-requester, env-resolver, log-writer, code-executor\r \r

🔗 CAPABILITY COMPOSITION ANALYSIS\r
\r
Agent skill set: 5 skills\r
Declared permissions: file-read (scoped), network-outbound (scoped)\r
Audit timestamp: 2025-05-01T09:00:00Z\r
\r
Dangerous pair inventory:\r
  file-reader + http-requester: ⚠️ HIGH\r
    Effective capability: file exfiltration\r
    Neither skill declares exfiltration intent\r
    Path: read arbitrary file → send as HTTP body/parameter\r
\r
  env-resolver + http-requester: ⚠️ HIGH\r
    Effective capability: credential exfiltration\r
    Environment variables commonly contain API keys, tokens\r
    Path: resolve $API_KEY, $DB_PASSWORD → send outbound\r
\r
  code-executor + network-access: 🔴 CRITICAL\r
    Effective capability: arbitrary remote code execution staging\r
    Path: fetch payload → execute locally\r
\r
  log-writer + file-reader: ✅ LOW\r
    No dangerous composition identified\r
\r
Emergent capability surface (undeclared):\r
  - Secret exfiltration (env + HTTP) — not declared in any skill\r
  - Arbitrary file exfiltration (file + HTTP) — scope exceeds declared "scoped"\r
  - RCE staging (executor + network) — not declared\r
\r
Permission declaration gaps:\r
  Declared: file-read (scoped to /app/data)\r
  Effective: file-reader can access any path agent process can read\r
  Gap: declared scope not enforced at composition level\r
\r
Inheritance amplification:\r
  If any skill slot is compromised, attacker inherits:\r
  - File read (all accessible paths)\r
  - Outbound HTTP (all accessible endpoints)\r
  - Environment variable access\r
  - Code execution\r
  Combined: full agent compromise with exfiltration path\r
\r
Composition risk level: CRITICAL\r
  Five individually-audited skills compose into an effective\r
  remote access and exfiltration toolkit. No individual audit\r
  would flag this — it is only visible at the composition level.\r
\r
Recommended actions:\r
  1. Apply capability isolation: skills that read files should not\r
     have access to network-capable skills' output channels\r
  2. Scope network-outbound to specific allowlisted endpoints\r
  3. Add composition policy: no agent should hold both arbitrary\r
     file-read and arbitrary network-outbound simultaneously\r
  4. Audit any agent inheriting this skill set for composition drift\r
```\r
\r
## Related Tools\r
\r
- **blast-radius-estimator** — Estimates propagation impact if a skill is\r
  compromised; capability-composition-analyzer determines what the compromised\r
  skill immediately inherits\r
- **permission-creep-scanner** — Detects individual skills requesting excessive\r
  permissions; composition analyzer detects dangerous emergent capabilities\r
  across multiple appropriately-scoped skills\r
- **observer-effect-probe** — Tests runtime evasion; a skill exploiting composition\r
  risk may only activate the dangerous path after establishing context\r
- **runtime-attestation-probe** — Validates runtime behavior; composition risk\r
  manifests at runtime when capabilities are exercised together\r
\r
## Limitations\r
\r
Capability composition analysis requires accurate capability metadata for all\r
skills in the agent's composition. Skills that do not declare capabilities\r
accurately — or that acquire capabilities dynamically at runtime — will produce\r
incomplete composition maps. The dangerous pair inventory covers known\r
composition risks; novel compositions with no prior pattern may not be flagged.\r
Effective capability analysis is necessarily conservative: it identifies what\r
the composition could do, not what it will do. False positives are expected for\r
agents where dangerous capability pairs exist but are operationally isolated by\r
other means. Composition analysis is a complement to per-skill auditing, not a\r
replacement — individual skill integrity remains necessary even when composition\r
risk is low.\r
Usage Guidance
This skill appears coherent and instruction-only, but take basic precautions before installing: 1) Verify the author/source (source unknown here). 2) Do not feed real secrets or full environment dumps as input — provide only the skills/capability metadata you want analyzed. 3) Because the skill lists curl and python3 as required binaries (not justified in the text), prefer running it in an environment where network egress is constrained if you are uncertain — a malicious agent could use those binaries for exfiltration if given sensitive inputs or if the platform allows shell execution. 4) Review produced reports before acting and audit any remediation that changes skill permissions. If you want higher assurance, ask the publisher for a justification of the curl/python3 requirement or a minimal test input/output example.
Capability Analysis
Type: OpenClaw Skill Name: capability-composition-analyzer Version: 1.0.0 The OpenClaw skill 'capability-composition-analyzer' is designed to identify security risks arising from the combination of individually benign agent skills, such as potential data exfiltration or remote code execution paths. The `SKILL.md` documentation clearly outlines this purpose, describes the analysis dimensions, and provides an example of its output, which includes security recommendations. While it requires `curl` and `python3`, these are appropriate tools for a security analysis capability. There is no evidence of malicious intent, data exfiltration, persistence, or prompt injection attempts within the provided files; the skill aims to enhance security by detecting vulnerabilities in other skill compositions.
Capability Assessment
Purpose & Capability
The skill's name/description align with the SKILL.md: it analyzes how multiple skills compose into dangerous capability combinations. It requests presence of curl and python3 even though the instruction text does not require network calls or executing scripts; this is a minor mismatch (likely for optional tooling or examples) but not by itself malicious.
Instruction Scope
SKILL.md confines the agent to analyzing declared skill lists, capability metadata, and producing a composition risk report. It does not instruct the agent to read arbitrary system files, access environment secrets, or transmit data to external endpoints. Inputs are explicitly the agent's declared skill list or a list of skills to analyze.
Install Mechanism
No install spec and no code files are present (instruction-only). That minimizes filesystem and supply-chain risk — nothing is downloaded or written by an installer.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate to an analysis-only tool that operates over supplied metadata.
Persistence & Privilege
always:false and no requests to modify other skills or system configuration. The skill may be invoked autonomously (platform default) but it does not request persistent presence or elevated privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install capability-composition-analyzer
  3. After installation, invoke the skill by name or use /capability-composition-analyzer
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of capability-composition-analyzer. - Detects dangerous capability combinations when agent skills are composed. - Flags emergent risks not visible in per-skill audits, such as exfiltration and compromise paths. - Provides a composition risk report: highlights dangerous pairs, emergent capabilities, permission gaps, and inheritance amplification for each skill slot. - Supports input of skill lists, skill pairs, or permission declarations. - Aims to complement—rather than replace—traditional per-skill security auditing.
Metadata
Slug capability-composition-analyzer
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Capability Composition Analyzer?

Helps identify dangerous capability combinations that emerge when agent skills are composed — catching the class of risk where no individual skill is harmful... It is an AI Agent Skill for Claude Code / OpenClaw, with 410 downloads so far.

How do I install Capability Composition Analyzer?

Run "/install capability-composition-analyzer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Capability Composition Analyzer free?

Yes, Capability Composition Analyzer is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Capability Composition Analyzer support?

Capability Composition Analyzer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Capability Composition Analyzer?

It is built and maintained by andyxinweiminicloud (@andyxinweiminicloud); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments