Skills are becoming a major potential vector attack on dev machines running AI coding agents. One without any security guardrails so far (correct me please).
Potential first option to secure is Vercel skills.sh, a major skill search and npm skills cli to install selected/all skills from any github repository. It tracks the installs in global ~/.agents/.skill-lock.json or project skills-lock.json (ref, example, source).
Adding would require scanning github repository skills collected from bumblebee telemetry, and/or tracked at skills.sh.
Skills are becoming a major potential vector attack on dev machines running AI coding agents. One without any security guardrails so far (correct me please).
Potential first option to secure is Vercel skills.sh, a major skill search and npm skills cli to install selected/all skills from any github repository. It tracks the installs in global
~/.agents/.skill-lock.jsonor projectskills-lock.json(ref, example, source).Adding would require scanning github repository skills collected from bumblebee telemetry, and/or tracked at skills.sh.