OpenClaw Shows Why Agents Need a Bill of Materials
Renewed discussion of OpenClaw's local-agent takeover risk shows why teams need an Agent Bill of Materials for skills, plugins, MCP servers, and connectors.
Blog
Articles about AI skill security, coding tool tips, and best practices.
Cisco Cloud Control Makes Agent Tool Governance Mainstream
Cisco's Cloud Control launch puts AI agents, MCP connectors, and third-party tool marketplaces inside critical infrastructure operations.
Vercel's Skills API Turns Agent Skills Into Infrastructure
Vercel opened the skills.sh API for programmatic access to 600,000+ agent skills. That is useful, but it makes skill verification a platform concern.
VIPER-MCP Shows Agent Tools Need Taint Scanning
VIPER-MCP found 106 confirmed zero-days across nearly 40,000 MCP server repos. Agent tool security now needs code-level taint analysis, not just trust prompts.
Microsoft ACS: Agent Controls Move Into the Runtime
Microsoft's Agent Control Specification gives agent teams a portable runtime policy layer for tool calls, approvals, and audit evidence.
NSA MCP Guidance: Inventory Agent Tools Before They Drift
NSA's MCP security guidance turns the agent tooling debate into an operational checklist: inventory servers, verify tool changes, and scan before trust drifts.
Ruleset v2026.06.05: What 300 Sub-Agent Reviews Revealed
A focused review pass surfaced a malicious publisher family targeting Claude Code config — and a handful of regex rules costing more in false positives than they were worth. Here's what we changed.
MCP RCE Debate: Treat Agent Plugins Like Executable Code
The public debate around MCP remote code execution risk shows a hard lesson for AI agents: plugins, connectors, and skills need supply-chain controls.
Open-OSS/privacy-filter: Typosquatting the AI Model Registry
A malicious Hugging Face repo typosquatted OpenAI's Privacy Filter, hit #1 trending at 244K downloads, and shipped a Rust infostealer — a warning for AI skills.
Introducing the SkillSafe Desktop App for AI Coding Artifacts
A cross-platform app to browse, edit, create, and convert skills, agents, and commands across Claude Code, Codex, Cursor, OpenClaw, and Cline.
Best AI Skills for DevOps and CI/CD [2026]
Top 5 DevOps CI/CD skills from our scored review — Docker security playbooks, Argo Rollouts canary configs, and a production-ready blue-green script.
Best AI/ML Development Skills and Tools [2026]
Top 5 AI/ML development skills from our scored review — RAG architectures, prompt engineering patterns, LLM debugging frameworks, and production guidance.
Best AI CSS and Design Skills [2026]
We installed and scored 15 CSS and design skills. These 5 stood out — from fluid typography cookbooks to a 99-rule UX checklist with a built-in CLI.
Best AI Data Analysis Skills for Developers [2026]
We installed and scored 10 data analysis skills. These 5 stood out — from a chart-selection encyclopedia to a three-script CSV profiling toolkit.
Best AI Skills for Systems Languages: Rust and Go [2026]
We installed and scored 11 systems programming skills. These 5 stood out — from Apollo's 2,400-line Rust handbook to production Go concurrency patterns.
Top AI Skills for Next.js Development [2026]
Top 5 Next.js AI skills from our scored review — including an eval-proven bundle that raised pass rates from 32% to 78% and a 50-line upgrade assistant.
Top AI Skills for Cloud Infrastructure [2026]
Top 5 cloud infrastructure skills from our scored review — Terraform state migrations, Cloudflare anti-pattern catalogs, and 4,000+ lines of guidance.
Claude Mythos Found Zero-Days Everywhere. Here's Your Playbook.
Anthropic's Mythos Preview discovered zero-days in every major OS and browser. Defenders have months, not years, to adapt. Here's what to do now.
Best AI Security Auditing Skills for Developers [2026]
Top 5 security auditing skills from our scored review — 146 vulnerability vectors, 11 footgun databases, and a real-time GitHub supply chain auditor.
Best AI Skills for Git Workflows [2026]
We installed and scored 8 git workflow skills. These 5 stood out — with rebase playbooks, branch cleanup safety gates, and changelog automation pipelines.
Best AI Skills for SQL and Database Development [2026]
We installed and scored 13 database skills. These 5 stood out — with 3,000+ lines of Postgres rules, query optimization patterns, and migration playbooks.
Best AI Skills for API Development [2026]
Top 5 API development skills from our scored review — a 25-file multi-framework implementation guide and an RFC 9457 error system with agent extensions.
Best AI Skills for TypeScript Development [2026]
Top 5 TypeScript AI skills from our scored review — a 14-file type system encyclopedia and a spec-to-types converter that writes type guards for you.
Top AI Documentation Tools and Skills [2026]
Top 5 documentation AI skills from our scored review — structured co-authoring workflows, 885-line reference templates, and ready-to-use README frameworks.
Top AI Performance Optimization Skills [2026]
We installed and scored 11 performance skills. These 5 stood out -- with 11,000+ lines of profiling rules, optimization patterns, and benchmarking workflows.
Top AI Code Refactoring Skills [2026]
We installed and scored 14 refactoring skills. These 5 stood out — with safety checklists, complexity scoring systems, and 2,900+ lines of refactoring patterns.
Best AI Code Review Tools and Skills [2026]
We installed and scored 23 code review skills. These 5 stood out — with real checklists, multi-agent workflows, and 1,500+ lines of review patterns.
Best AI Skills for React Development [2026]
We installed and scored 17 React skills. These 5 earned their spot — from Vercel's 20-file Next.js encyclopedia to a typed state management cookbook.
Best AI Testing and QA Skills for Developers [2026]
We installed and scored 18 testing skills. These 5 earned their spot — from a 61-file Playwright encyclopedia to strict TDD enforcement.
Top AI Coding Skills for Python Developers [2026]
We installed and scored 20 Python skills. These 5 deliver — from 736 lines of async patterns to Sentry's zero-false-positive Django auditor.
ToxicSkills: What the First Large-Scale Agent Skill Audit Found
Snyk scanned 3,984 AI agent skills: 36% had security flaws, 534 critical issues, 76 active malware. What this means for developers installing skills.
MCP Tool Poisoning: How Hidden Metadata Hijacks AI Agents
MCP tool descriptions are visible to your AI agent but hidden from you. Attackers embed instructions that hijack agent behavior and steal credentials.
Langflow Exploited in 20 Hours: The AI Framework Attack Surface
Langflow's critical RCE was weaponized in 20 hours. Combined with new LangChain and LangGraph CVEs, AI framework infrastructure is under active attack.
When Trusted Packages Turn Hostile: Cascading Supply Chain Attacks
TeamPCP compromises legitimate packages and cascades through the supply chain via stolen credentials. Why this attack pattern evades detection.
You're Using Claude Code Skills. Do You Know What's in Them?
Claude Code skills can read files, run commands, and access credentials. What the skill ecosystem gets wrong about security — and how to protect yourself.
LiteLLM's PyPI Backdoor: What It Means for the AI Skill Supply Chain
Attackers injected a credential stealer into litellm (95M downloads) via compromised CI/CD. What happened and why AI skills face the same threat.
SkillJect and the Gap in Skill Registry Security
A new paper achieves 97.5% attack success against Claude Code using poisoned skills. Here's what we found, and the four detection rules we shipped in response.
Show, Don't Just Ship: Why Every Skill Needs a Demo
A skill without a demo is a black box. Why recording a real agent session is the highest-leverage thing you can do to earn trust and drive installs.
ClawHavoc: 1,184 Malicious Skills and Why Pre-Install Verification Matters
Post-mortem of ClawHavoc — the largest AI skill supply chain attack on record — and what it reveals about the limits of reactive security models.
Why Scanning Architecture Matters: Comparing Skill Registry Security
Comparing install-time scanning, reactive moderation, and dual-side verification — and the supply chain attack vectors each security model misses.
Self-Improving Skills: How SkillSafe Skills Get Better With Use
SkillSafe skills can improve from real usage feedback. How the observe-improve-save loop works and how to opt your skills into automatic iteration.
Introducing SkillSafe: Why AI Coding Skills Need a Verified Registry
341 malicious AI skills were found on a major registry. SkillSafe scans before sharing, re-verifies on install, and blocks tampered code automatically.
How Dual-Side Verification Protects Against Supply Chain Attacks
How SkillSafe dual-side verification works: publisher scans, consumer re-scans, and cryptographic tree hashes that detect tampering before install.