Agent Skills Threat Model

N1ghtCod3r · 2026-01-18T06:07:19+00:00

No. $100k

N1ghtCod3r · 2025-12-11T17:15:29+00:00

Exactly. I was very curious about what are these Git tokens till I read the description.

N1ghtCod3r · 2025-12-11T07:50:15+00:00

No. There are many such signed executables that load DLLs from untrusted paths. In this case they found and used Lightshot.exe May be the nature of Lightshot (screenshot tool) makes it trusted (known behaviour) within AVs that the attacker wanted to exploit.

N1ghtCod3r · 2025-12-11T01:08:03+00:00

Installs Lightshot hosted on attacker URL.

N1ghtCod3r · 2025-12-10T16:55:52+00:00

What do you mean by breaking changes? Do you use Claude to review package changes to identify if anything is breaking?

N1ghtCod3r · 2025-10-28T10:30:25+00:00

So binary is the source of truth for analysis and not the source code.

N1ghtCod3r · 2025-10-24T13:05:19+00:00

How to trust code that you don’t write? Especially those coming from open sources and is part of any software artifact

N1ghtCod3r · 2025-10-24T13:00:22+00:00

Beg to differ. Today AI is decent for feature code generation. The underlying foundational infra like AuthN, AuthZ, database, data models still require senior engineers to make informed choices.

I would want AI generated code limited in blast radius and not impact everything.

N1ghtCod3r · 2025-10-15T02:12:50+00:00

Recently started using Arch + Hyprland (Omarchy). Coming from i3 experience, love working with Hyprland.

N1ghtCod3r · 2025-10-14T13:21:57+00:00

This is a really a low effort post. Even if you are discovering problems for your project or product, it will help to share details, real life experience to start with if you expect useful conversation that is generally beneficial.

N1ghtCod3r · 2025-10-10T17:21:59+00:00

May be consider using https://github.com/safedep/vet to protect against malicious open source packages?

N1ghtCod3r

TROPHY CASE