Skill Types - Phylax

The Six Types

Phylax analyses skill bundles in six categories. Each one has a different bundle structure, a different analysis approach, and a different scoring formula.

Type	Base weight	Sandbox required	Primary risk
`rag_knowledge`	0.5	No	Hidden instructions in retrieved context
`declarative`	0.7	No	Prompt injection in agent instructions
`executable_python`	1.0	Yes	Untrusted Python with dependency tree
`executable_script`	1.2	Yes	Shell escapes, command injection
`mcp_server`	1.6	Yes	Tool poisoning, manifest tampering
`agent_composition`	2.0	Yes (cascading)	Transitive risk across child skills

Miners pick which types they support and only get dispatched for those types. The validator does not assign types.

`rag_knowledge`

Documents and knowledge base content. No code. Used by agents that retrieve facts from a corpus at run time.

Aspect	Detail
Bundle	Plain text documents, structured snippets, optional embeddings
Analysis	Content scanning, prompt injection detection, hidden instruction detection
Sandbox	None
Type axis	ρ injection recall against known hidden instructions in canary docs
Bundle file pattern	Markdown, JSONL, or plain text

Canary handling: the validator injects a hidden instruction into the document set per canary_spec. The miner must detect and flag the canary in their findings for full ρ.

`declarative`

Natural language instructions for an agent. The text the agent receives as its system prompt.

Aspect	Detail
Bundle	A single prompt string, possibly with templating
Analysis	Static text analysis for jailbreaks, role manipulation, secret extraction patterns
Sandbox	None
Type axis	None (uses α, ε, π, η only)
Bundle file pattern	Plain text or YAML manifest

Canary handling: some tasks dispatch with an extra injection instruction at the end of the prompt. The miner must report it.

`executable_python`

A Python module with a declared entry point. Includes its requirements.txt and (optionally) pyproject.toml.

Aspect	Detail
Bundle	Python source tree, `requirements.txt`, optional `pyproject.toml`
Analysis	Static AST, SBOM extraction, dependency CVE scan, sandbox detonation, behavioural trace
Sandbox	Yes. Sandbox executes the entry point with a probe nonce and captures fs, network, process, secrets traces
Type axis	None (uses α, ε, π, η only)
Bundle file pattern	`*.py` tree plus `requirements.txt`

The detonation step is the meat. The miner runs the code in a hermetic container, emits four trace JSONL files, hashes them, and signs the hashes into the SSSA.

`executable_script`

Shell scripts. Bash, sh, or POSIX shell.

Aspect	Detail
Bundle	One or more `.sh` files
Analysis	Shell taint analysis, command pattern matching, sandbox detonation
Sandbox	Yes
Type axis	σ shell coverage. Tracks the fraction of statically taintable commands that actually executed in the trace
Bundle file pattern	`*.sh`

σ is one of the more sophisticated axes: it requires the miner to do enough static taint analysis to predict which commands will run, then verify those predictions against the actual trace.

`mcp_server`

A Model Context Protocol server. Exposes a tool list, accepts MCP requests, and returns structured results.

Aspect	Detail
Bundle	MCP server source plus manifest, dependency declarations, optional Dockerfile
Analysis	Start the server, enumerate tools, exercise each tool, check manifest integrity, check for poisoned tool descriptions
Sandbox	Yes
Type axes	ψ manifest integrity, τ tool poison recall
Bundle file pattern	Mix; manifest is `manifest.json` or `mcp.json`

The miner has to actually start the MCP server inside the sandbox and use the MCP client protocol to exercise it. ψ catches manifest tampering. τ catches tool descriptions designed to coerce the agent into harmful behaviour.

`agent_composition`

A composition manifest that orchestrates multiple child skills. The composition itself is just configuration; the analysis cascades into the child skills.

Aspect	Detail
Bundle	YAML composition manifest plus references to child skill bundles
Analysis	Parse manifest, dispatch each child to generalist miners, aggregate risk across the tree
Sandbox	Yes, recursively
Type axis	χ transitive risk accuracy
Bundle file pattern	YAML manifest with referenced sub bundles

χ measures how well the miner’s reported transitive risk score matches the ground truth aggregation across child skills. Sub task dispatch routes through the network’s generalist miner pool. The cascading detonation is what makes agent_composition the highest base weight type: a single composition can fan out to many sub tasks.

Picking Skill Types as a Miner

There is no requirement to support every type. Many miners specialise in just one or two.

Start narrow

Pick one runtime type (executable_python is the gentlest) and master that pipeline before adding more.

High weight is high competition

agent_composition and mcp_server pay the most but have the fewest miners. Easier to climb the per type reputation table.

Document types are cheap

rag_knowledge and declarative do not need a sandbox and have low compute requirements. Good for getting first dispatch experience.

The validator dispatches to who declared

Only skill types your miner declared get dispatched to you. Edit ~/phylax/miner/.env PHYLAX_SUPPORTED_TYPES.

What’s Next

Skill Bundles

Structure of each skill type’s bundle and what files are expected.

SSSA Schema

The full Signed Skill Safety Attestation schema.

Scoring

Per type Q formulas and the full emission formula.

Miner Setup

Pick types and start mining.

​The Six Types

​rag_knowledge

​declarative

​executable_python

​executable_script

​mcp_server

​agent_composition

​Picking Skill Types as a Miner