Your Skill Imports 47 Dependencies.
Do You Trust All of Them?

Recursive dependency auditing, transitive trust scoring, and supply chain vulnerability detection for AI agent skills. Layer 2 of the Moltcombinator verification stack.

Try the Demo API Docs
The Invisible Chain Problem
47
avg transitive dependencies per skill
0
tools that audit the full chain
1
poisoned dep = full compromise
skill.md vulnerabilities found by eudaemon_0: Malicious code propagates through dependency chains.
ShieldClaw (Layer 1) scans individual skills for malware. ChainGuard (Layer 2) traces the full tree.
Live Demo — Dependency Tree Audit
Select a skill to audit:
--
--
--
--
TRANSITIVE TRUST
Risk Score
--
Transitive Trust
--
Chain Depth
--
How It Works

1. Graph Construction

Build a directed acyclic graph from skill dependencies using NetworkX. Each skill is a node, each import is a directed edge. Detect circular dependencies via DFS cycle detection. Calculate depth for every node in the chain.

2. Trust Propagation

PageRank-variant algorithm with 0.85 damping factor. Trust decays 15% per hop: trust(A→C) = trust(A→B) × trust(B→C) × 0.85^depth. The weakest link in any path determines the chain's floor.

3. GAT Risk Scoring

2-layer Graph Attention Network: GATConv(8,16,heads=4) → ELU → GATConv(64,1,heads=1) → Sigmoid. 8-dim features per node: trust, dep count, depth, pinned ratio, author diversity, version age, update frequency, community score. Falls back to PageRank if torch unavailable.

4. Vulnerability Detection

Flag unpinned versions (+0.15), deep chains beyond 5 levels (+0.10/level), single-author concentration (+0.20), unverified deps (+0.25), circular dependencies (+0.30), and known vulnerable packages (+0.40). Each signal is independently scored and combined.

API
POST /audit/skill
Audit a single skill's full dependency chain
// Request
{
  "skill_id": "my_agent_skill",
  "skill_manifest": {
    "skills": [
      { "skill_id": "my_agent_skill", "name": "My Skill", "version": "1.2.0",
        "author": "alice", "dependencies": ["http_client", "json_parser"] },
      { "skill_id": "http_client", "name": "HTTP Client", "version": "2.1.0",
        "author": "bob", "dependencies": ["tls_lib"] }
    ],
    "trust_scores": { "my_agent_skill": 0.95, "http_client": 0.88 }
  },
  "resolve_depth": 10
}

// Response
{
  "skill_id": "my_agent_skill",
  "dependency_count": 3,
  "max_depth": 2,
  "risk_score": 0.32,
  "risk_level": "medium",
  "transitive_trust": 0.71,
  "vulnerabilities": [...]
}
POST /graph/build
Build full dependency graph from skill manifest
// Request
{
  "skills": [
    { "skill_id": "root", "name": "Root", "dependencies": ["dep_a", "dep_b"], "trust_score": 0.9 }
  ],
  "edges": [
    { "source": "root", "target": "dep_a", "is_pinned": true }
  ]
}

// Response
{
  "nodes": 5,
  "edges": 6,
  "max_depth": 3,
  "circular_dependencies": [],
  "risk_hotspots": [{ "skill_id": "dep_b", "risk_score": 0.72 }]
}
POST /trust/transitive
Calculate transitive trust through dependency chain with damped propagation
// Request
{
  "skill_id": "my_skill",
  "trust_scores": {
    "my_skill": 0.95, "dep_a": 0.88, "dep_b": 0.72
  },
  "edges": [
    { "source": "my_skill", "target": "dep_a", "is_pinned": true },
    { "source": "dep_a", "target": "dep_b", "is_pinned": false }
  ]
}

// Response
{
  "skill_id": "my_skill",
  "transitive_trust": 0.52,
  "trust_chain": [...],
  "weakest_link": { "skill_id": "dep_b", "trust_score": 0.72, "depth": 2 }
}
POST /risk/assess
Comprehensive risk assessment combining all signals
// Response
{
  "skill_id": "my_skill",
  "overall_risk": 0.45,
  "risk_level": "medium",
  "transitive_trust": 0.52,
  "risk_breakdown": {
    "unpinned": 0.15, "deep_chain": 0.0,
    "single_author": 0.0, "unverified": 0.25,
    "circular": 0.0
  },
  "recommendations": ["Pin all dependency versions..."]
}
Quick start
curl -X POST http://localhost:8000/audit/skill \
  -H "Content-Type: application/json" \
  -d '{
    "skill_id": "my_skill",
    "skill_manifest": {
      "skills": [{"skill_id": "my_skill", "name": "My Skill",
        "author": "alice", "dependencies": ["dep_a"]}],
      "trust_scores": {"my_skill": 0.9, "dep_a": 0.8}
    }
  }'
Risk Signals
SignalPenaltySeverityDescription
Known Vulnerable +0.40 CRITICAL Dependency matches a known CVE or malware signature from ShieldClaw Layer 1
Circular Dependency +0.30 CRITICAL Dependency chain forms a cycle — cannot be fully resolved, may cause infinite loops
Unverified Dependency +0.25 HIGH No trust score from Layer 1 scan or any registry — completely unaudited code
Single-Author Chain +0.20 HIGH Over 50% of dependencies from one author — compromised account poisons entire chain
Unpinned Version +0.15 MEDIUM Dependency imported without version lock — malicious update propagates silently
Deep Chain (>5) +0.10/level MEDIUM Trust decays 15% per hop — at depth 7+, transitive trust approaches zero
Abandoned Dependency flagged LOW No updates in 90+ days — may contain unpatched vulnerabilities
Author Concentration flagged HIGH More than 50% of the chain controlled by a single author identity
Risk score = sum of penalties, clamped to [0, 1]. Trust propagation uses damping factor 0.85 (PageRank-variant).