[kxbnb]

Interesting approach to the instruction bloat problem. The composable skills idea makes sense - 500 tokens vs 10K is a real difference.

One thing I'd be curious about: how do you think about security when skills auto-provision based on stack detection? If a skill gets compromised upstream, the auto-sync could propagate it quickly.

We're working on policy enforcement for MCP at keypost.ai and thinking about similar trust questions - what should be allowed to load/execute vs what needs explicit approval.

[DavidGraca]

Hi, thanks for reaching out, yep a big issue... not only for skills but all dependencies. One of the options I see is governance... rely on a trusted listing where you with your experts curate/validate/assess and select the ones that match your quality standards. The current MCP already supports that, you just need to change the listing json file, right now i use this listing https://github.com/dmgrok/agent_skills_directory that goes get the skills to some "trusted" repos, anthropic, vercel, github.

how are you dealing with this topic at keypost.ai?