Capability-based security for AI agent skills. Permission analysis, over-privilege detection, sandbox enforcement. Layer 4 of the Moltcombinator verification stack.
Parses skill source code to find actual resource accesses. Detects open(), requests.get(), os.environ, subprocess.run(), credential file reads, and SOUL.md/MEMORY.md access patterns. Compares what the code actually does vs. what it declares.
Random Forest trained on 1,000 synthetic permission samples. 7 features: resource sensitivity, access level risk, path specificity, justification presence, permission count, skill age, author trust. Outputs calibrated risk probability 0 to 1.
Computes the minimum permission set needed by analyzing code behavior. Flags permissions requested but never used. Flags broad wildcards when specific paths suffice. Grades A through F based on the ratio of excess to required.
Generates least-privilege sandbox policies from analysis results. Sets allow/deny lists, network call limits, filesystem operation caps, and execution timeouts. Higher risk means tighter constraints. Evaluates runtime compliance.
{
"skill_id": "weather-fetcher-v2",
"declared_permissions": [
{ "resource_type": "network", "access_level": "execute",
"resource_path": "api.weather.com", "justification": "Fetch weather data" }
],
"code_content": "import requests\nresp = requests.get('https://api.weather.com/v1')\n..."
}
// Response
{
"skill_id": "weather-fetcher-v2",
"risk_score": 0.12,
"risk_level": "low",
"over_privileged": false,
"undeclared_accesses": [],
"permission_grade": "A",
"recommendations": ["Permission hygiene is good."]
}
{
"skill_id": "data-scraper",
"requested_permission": {
"resource_type": "credential",
"access_level": "read",
"resource_path": "~/.clawdbot/.env",
"justification": ""
},
"context": { "skill_age_days": 2, "author_trust": 0.1 }
}
// Response
{
"skill_id": "data-scraper",
"allowed": false,
"risk_score": 0.91,
"reason": "credential:read on '~/.clawdbot/.env' exceeds risk threshold (0.91 >= 0.6)"
}
{
"skill_id": "note-taker",
"declared_permissions": [
{ "resource_type": "filesystem", "access_level": "write",
"resource_path": "./notes/", "justification": "Save user notes" }
],
"code_content": "with open('./notes/note.md', 'w') as f:\n f.write(content)\n"
}
// Response
{
"skill_id": "note-taker",
"allowed_permissions": [{ "resource_type": "filesystem", "access_level": "write", "..." }],
"denied_permissions": [/* network, process, credential, etc. */],
"max_network_calls": 0,
"max_file_ops": 200,
"timeout_seconds": 120
}
{
"skill_id": "sus-skill",
"policy": { "skill_id": "sus-skill", "allowed_permissions": [...], "max_network_calls": 5 },
"actions_taken": [
{ "resource_type": "credential", "access_level": "read", "resource_path": "~/.env" }
]
}
// Response
{
"skill_id": "sus-skill",
"violations": [{ "type": "denied_access", "severity": "critical", "..." }],
"compliance_score": 0.0,
"verdict": "critical_violation"
}
{
"resource_sensitivity": {
"filesystem": 0.3, "network": 0.5, "environment": 0.7,
"process": 0.85, "credential": 0.9, "memory": 0.8
},
"access_level_risk": {
"read": 0.2, "write": 0.5, "execute": 0.8, "delete": 0.9
},
"matrix": { /* resource_type x access_level combined risk */ }
}