Skills security
Scanning AI skills at scale: what we learned
Notes on a cross-registry audit of Anthropic Skills. Credential exfiltration, tool-call smuggling, and silent network calls are the dominant issue classes. Here is the taxonomy.
MCP security
MCP security: a security team's field guide
What Model Context Protocol is, why the servers are uniquely risky, and how to assess one in under ten minutes. With concrete detection signatures.
AI supply chain security
The AI artifact is the supply chain
Skills, MCP servers, .cursorrules, and agents.md are the new untrusted dependencies. Treat them like npm circa 2018: untrusted by default, scanned on ingest, pinned on use.