Despite the obvious self promotion, this whole concept of insecure skills is so dumb to me, if your engineers are installing and running random "skills" found online it's the same as if you had engineers copy and pasting commands into the terminal, it's superficial marketing bs at best
Installing npm modules seems similar as far as the risks go? The assumption is that you have a semi-trusted source of good libraries that's at least somewhat resistant to supply-chain attacks. A similar thing could in theory be done for well-known skills, but it requires a community norm of not releasing crap.
So it seems like the question is how do you build something worthy of people's trust?
> it's the same as if you had engineers copy and pasting commands into the terminal,
the difference being that a lot of orgs put explicit and direct controls around this. The other difference being it still requires human evaluation of "is this a good idea, or could it get me fired?" where agents/skills rarely will consider these things and just go
[dead]