capability-scope-expansion-watcher

# Your Skill Started with File Read. Now It Has the Whole Filesystem.

> Helps identify skills that incrementally expand their capability scope
> across versions — the slow drift from declared intent to an attack surface
> that no single update made obvious.

## Problem

Capability scope expansion is rarely dramatic. A skill that declared
"read /app/data/" at v1.0 does not suddenly claim "read /" at v1.1. Instead,
the expansion happens incrementally: v1.1 adds one subdirectory for a
legitimate-sounding reason, v1.2 adds another, v1.3 resolves environment
variables that could point anywhere. By v1.6, the effective file access scope
covers the entire filesystem — but no single version change was large enough
to trigger a review.

This is the slow-drift attack pattern. Each individual step is defensible.
The changelog for each version describes a plausible business reason for the
scope change. Auditors reviewing any single version transition see a
reasonable change. Only an auditor examining the full version history —
comparing v1.0 to v1.6 — sees the accumulated scope expansion for what it is.

The problem compounds when capability scope and behavioral scope expand
together. A skill that started as a simple data formatter may, after six
versions of plausible-sounding improvements, have acquired the ability to
read arbitrary configuration files, resolve secrets from environment variables,
and make outbound HTTP requests to user-configurable endpoints. No individual
feature addition made this obvious. The combination did.

Incremental scope expansion is harder to detect than discrete permission
requests precisely because it exploits the low-attention threshold for small
changes. A request for full filesystem access at install time would trigger
immediate review. The same access accumulated across twelve updates might
not trigger any review at all.

## What This Watches

This watcher examines capability scope expansion across five dim...