Most developers install skills without reading what's inside them. But that's exactly what attackers are counting on.
Simon Maple sits down with Brian Vermeer from Snyk at DevNexus to get into the security risk hiding inside the skills and MCPs running on your local machine. They scanned over 4,000 skills and found that 1 in 7 had at least one critical security vulnerability.
Here’s what you need to know:
- Why prompting your agent to write secure code doesn't make it secure
- How a trusted skill can update silently and start offloading your credentials
- What prompt injection actually looks like inside a skill file
- Why vibe coding makes the attack surface bigger, not smaller
- How the Snyk agent scan catches what you'd never spot manually
Every skill on the Tessl registry now has a Snyk security scan attached. Check before you install.
Connect with us here:
Simon Maple: https://www.linkedin.com/in/simonmaple/
Brian Vermeer: https://www.linkedin.com/in/brianvermeer/
Snyk: https://www.linkedin.com/company/snyk/
Tessl: https://www.linkedin.com/company/tesslio/
Join the AI Native Dev Community on Discord: https://tessl.co/4ghikjh
Ask us questions: podcast@tessl.io
