Hacker News new | ask | show | jobs
by joe-limia 95 days ago
Despite the obvious self promotion, this whole concept of insecure skills is so dumb to me, if your engineers are installing and running random "skills" found online it's the same as if you had engineers copy and pasting commands into the terminal, it's superficial marketing bs at best
3 comments
skybrian 95 days ago
Installing npm modules seems similar as far as the risks go? The assumption is that you have a semi-trusted source of good libraries that's at least somewhat resistant to supply-chain attacks. A similar thing could in theory be done for well-known skills, but it requires a community norm of not releasing crap.

So it seems like the question is how do you build something worthy of people's trust?

link
4ppsec 94 days ago
It's exactly like npm packages. But it seems every time there's a new technology, we abandon the security practices that we had before...
link
JohnMakin 95 days ago
> it's the same as if you had engineers copy and pasting commands into the terminal,

the difference being that a lot of orgs put explicit and direct controls around this. The other difference being it still requires human evaluation of "is this a good idea, or could it get me fired?" where agents/skills rarely will consider these things and just go

link
4ppsec 94 days ago
Completely agree with you! But it seems that people use things without thinking about security.
link
4ppsec 94 days ago
Absolutely agree. But they do!
link