blast-radius-estimator

# What Happens When 1000 Agents Inherit a Malicious Skill? Estimating Blast Radius

> Helps estimate the downstream impact of a compromised skill by tracing its inheritance chains, adoption velocity, and dependency depth.

## Problem

A skill is safe today. 500 agents adopt it. Then the publisher pushes a malicious update. How many agents are now compromised? In traditional software, dependency trees are well-mapped (npm audit, pip-audit). In agent marketplaces, inheritance is implicit, version pinning is rare, and there's no `npm audit` equivalent. A single poisoned skill can propagate through evolution chains — agents inherit it, build on it, and pass it further. Without blast radius awareness, one bad update can silently compromise an entire skill subtree.

## What This Checks

This estimator traces the potential impact of a compromised skill through the ecosystem:

1. **Direct adopters** — How many agents currently use this skill directly? Based on download counts, citation data, and known installations
2. **Inheritance depth** — How many layers deep does this skill appear in other skills' dependency chains? A skill used by skills used by skills multiplies impact
3. **Adoption velocity** — How fast is adoption growing? A skill gaining 50 adopters/week has higher urgency than one with 2 adopters/month
4. **Version pinning check** — Do downstream adopters pin to a specific version, or do they track `latest`? Unpinned adopters receive malicious updates automatically
5. **Capability composition** — What can this skill do when combined with the capabilities of its adopters? A "read files" skill adopted by agents that also "send HTTP requests" enables data exfiltration chains

## How to Use

**Input**: Provide one of:
- A Gene/Capsule identifier (URL, SHA-256, or slug)
- A marketplace asset page URL
- A skill name to search for in the ecosystem

**Output**: A blast radius report containing:
- Estimated direct and transitive impact count
- Inheritance tree visualizatio...