We Scanned 3,984 Skills — 1 in 7 Can Hack Your Machine

[00:00:00] Simon Maple: On today's episode, we discover that 13.4% of all published skills contain at least one critical security issue. That is frightening. Also, we ask the big question: what can we, as users of these skills, do to protect ourselves and block potentially malicious skills from our development environments?

[00:00:20] Simon Maple: Today, I'm here in Atlanta with my good friend Brian Vermeer. Brian, how are you?

[00:00:25] Brian Vermeer: I'm great. Thank you.

[00:00:27] Simon Maple: And we are here for a conference, actually Dev Nexus. And it kind of made sense actually that while we were here, we chatted about an awesome new launch that happened today, which is all about adding sneak security scans into the Tessl registry.

[00:00:43] Simon Maple: Brian, tell us a little bit about yourself, first of all.

[00:00:46] Brian Vermeer: Oh, thanks, Matt. I'm Brian. I work for Snyk obviously. What we have done since forever is build developer tooling to make security easier for developers and to not put it on the security engineers but to make developers self-sufficient. Make sure that they can integrate security easier in their workflow.

[00:01:05] Brian Vermeer: And I think these steps, as in creating skills to actually check skills or check CPS or whatever, are something that definitely add up with what we have been doing over the last decade or so.

[00:01:20] Simon Maple: And it's interesting. We'll focus on that today, actually, during the session.

[00:01:23] Simon Maple: But it's interesting if we look back at where Snyk kind of came from. Snyk obviously actually started more in the SCA space. Absolutely. So looking at third-party dependencies. And then kind of moved more from there into the container space and then into the SAS scanning of your first-party code and so forth.

[00:01:40] Simon Maple: But of course, more recently with the AI boom, there is a greater expansive code that could exist now because we assume people using AI tools create more code faster. How does that, how does NY deal with that?

[00:01:55] Brian Vermeer: Well, I think it's complementary to each other. First of all, you still need, with all the AI agents or the coding assistance, they come up with a lot of stuff, and most of it is quite good nowadays, but sometimes they come up with things that do not really add up or there is a problem in it that you don't see at first hand.

[00:02:11] Brian Vermeer: So a security tool or scanning tool makes sense to still do that in your pipelines or in your IDE or something like that. Same with SaaS analysis, or make sure that your dependencies that you have are valid now and are valid in the future.

[00:02:29] Brian Vermeer: But you can imagine now that if you have an agentic flow and you want your agentic flow to autonomously create code, that that code is also checked upon.

[00:02:38] Simon Maple: Yeah.

[00:02:38] Brian Vermeer: So that code is not vulnerable or slightly vulnerable. But if you give that feedback to your agent and that agent sees that, that can help you in an iterative process to make that code better.

[00:02:50] Brian Vermeer: So I think it's a very logical step for us to be in that space as well.

[00:02:54] Simon Maple: And even if you ask really, really nicely to an agent, can you get an agent to give you secure code every time?

[00:03:04] Brian Vermeer: We tried that. If you want to look at some experience, my other colleague Brian, by the way, did a bunch of these experiments on our YouTube channel.

[00:03:13] Brian Vermeer: He's like, "Hey, make sure that we, I want this application to create a note-taking app." Make sure it's super secure because my life depends on it. And every now and then it comes back with insecure code. So yes, these models are getting better and better, but we also have to know these models are older than now.

[00:03:30] Brian Vermeer: They have been trained in the past, and they are not specifically created for security. Most of these models are general-purpose models. So it makes sense to have a specific tool checking them and basically an add-on to whatever you want to do.

[00:03:47] Simon Maple: How much value does adding secure coding principles and best practices into those to kind of guide an agent to generate more secure code? How much does that help?

[00:04:08] Simon Maple: How much does that still leave to chance if you only trust a skill to do that?

[00:04:11] Brian Vermeer: I think if you only trust the skills, you still leave it to chance. Most of these processes can be deterministic. The security scan. And we have been doing that for years. So I think it's safe to say we are kind of good at it.

[00:04:27] Brian Vermeer: But if you ask it the same question twice, they will come up with different answers.

[00:04:35] Simon Maple: Wrong normally as well, in my experience.

[00:04:36] Brian Vermeer: Well, I think maybe that is my kids. I don't want to go into that.

[00:04:42] Brian Vermeer: So I think the models are getting better and better, and they will produce better code. But still, if you look at the training data for that, if you look at what is on Stack Overflow or what kind of open-source projects there are, there are still a lot of vulnerabilities in there.

[00:04:59] Simon Maple: Yeah.

[00:04:59] Brian Vermeer: They may not be massive vulnerabilities, but even smaller vulnerabilities, if you chain them together, can end up in an attack chain and therefore be massively destructive to a specific system.

[00:05:10] Simon Maple: Yeah. Agree. As I mentioned at the start of the episode, we announced the fact that we now have an integration between Snyk and Tessl.

[00:05:17] Simon Maple: And Tessel, through the registry, is exposing some of the security scan results from the Snyk scans about every single skill on the registry. So tell us a little bit about the Snyk agent scan that scans MCPs and skills.

[00:05:36] Brian Vermeer: Alright. It is one of the newer open-source products from the Snyk team. And basically what it does is MCPs; you can see MCPs as the next supply chain problem.

[00:05:56] Brian Vermeer: You are adding features and functions to your LLM or to your agent in this case so it can execute that. But what kind of stuff is there? You see the functions it has, but what kind of input or what kind of output does it have? What kind of flow comes through it? For instance, if you trust it now, it is good, but what will the follow-up or the new version do?

[00:06:12] Brian Vermeer: So these are the things we can monitor, and we can scan for you. But we also scan skills. Skills effectively are MD files. Because it is just plain text, they can be vulnerable to all sorts of things, like prompt injections with confusion to make the model give an yes or no instruction.

[00:06:33] Brian Vermeer: Or it can be obfuscated in Chinese or something like that, or in base64 encoding. These kinds of things. There are all sorts of things that you do not want to blindly have in a skill, but since a skill file can be quite big, you do not want to do that manually. So that is where we can help with the Snyk agent scan.

[00:06:51] Simon Maple: So some of those issues that you mentioned, the security issues that you mentioned, Snyk released the Toxic Skills Threat Taxonomy table in the blog. So talk us through a few of those different types of threats.

[00:07:05] Simon Maple: And one of the things that I love actually is you highlight the severity. So there is critical severity, high severity, and so forth. They are not all made equal. Some are more dangerous than others.

[00:07:15] Brian Vermeer: Obviously. I think that for everybody, quite well known are prompt injection detections. That one is at the top of the list.

[00:07:25] Simon Maple: Yep.

[00:07:25] Brian Vermeer: Critical risk level. You can think of hidden instructions within the skill that do not necessarily add something to the skill.

[00:07:39] Brian Vermeer: These can be encoded basically as base64 encoded or given in a weird language like Hawaiian or something like that that we cannot read. So they can be obfuscated. You can think of other things like Unicode smuggling, where we use parts of the Unicode spectrum that are not visible but can be readable for an LLM. You can put instructions in there like, "Hey, when you want to use this skill, make sure that you download this binary first."

[00:08:03] Brian Vermeer: Or it can cascade to other skills that may not be on your local machine but somewhere else that you do not intend to use.

[00:08:12] Simon Maple: It is really interesting because from a user point of view the user assumes they have got a good skill. They download their skill, and then they assume it is deciding on these actions.

[00:08:22] Simon Maple: And so basically by using that skill, essentially by using that skill, a prompt injection or something I didn't even think about. Yeah. Downloading something, of course, can do what it wants, and it will probably prompt and say, "Can I do this?" And you just assume, yeah, I'm sure this is fine. Or certainly, I guess, it can be described in a way that is convincing to the user, and it could, I suppose, be like you are creating code.

[00:08:45] Simon Maple: So it could expose that code to the internet, it could share secrets, and it could download malware onto your local development environment.

[00:08:56] Brian Vermeer: But yeah. Think of it like most of these skills run on your local machine. And they have execution power, but they probably run on your machine as root, or at least they have a lot of privileges.

[00:09:08] Simon Maple: Yeah.

[00:09:09] Brian Vermeer: If you give Claude the power to execute bash scripts or something like that. I create bash scripts, and if I can infect a skill in that way so that it will create a bash script for me to do something, I am basically vibe coding my prompts now or vibe coding my exploits now.

[00:09:25] Brian Vermeer: In that way. This way. So you should think of it like that. We can give instructions to create code in a normal way, but you can also now give instructions to do malicious things because it is all natural language processing.

[00:09:36] Simon Maple: Yeah. And a lot of the toxic skill threats, I am looking through the table now.

[00:09:39] Simon Maple: A lot of the toxic skill threats are actually quite similar. There is nothing here that is so new. Even prompt injection. I mean, we talk about AI being only a few years old, really. But prompt injections are old school now, aren't they?

[00:09:56] Simon Maple: But yeah, a lot here is like malicious code. I guess credentials or secret detection?

[00:09:58] Brian Vermeer: Yes.

[00:09:58] Simon Maple: Unverifiable dependencies direct. Does that say “direct money access,” or should that be “direct memory access?”

[00:10:04] Brian Vermeer: Yeah, for instance, if it has access to crypto operations or anything money-related.

[00:10:11] Simon Maple: Mm-hmm.

[00:10:12] Brian Vermeer: Because that is now quite an interesting thing.

[00:10:14] Brian Vermeer: If you connect everything to everything with your personal assistants or with your skills and your agents, if you have a crypto wallet, maybe you want to directly access that. So these kinds of things.

[00:10:27] Simon Maple: And of course I guess one of those joys from an attacker's point of view is with people using so many MCPs. When a malicious person has access to that agent, they all of a sudden can start grabbing things from MCP connections. So maybe that is Linear, maybe that is GitHub, or maybe that is anything that you use.

[00:10:50] Brian Vermeer: It can be your email; it can be your Google Calendar. It can be that. You have an MCP that now is just reading your emails.

[00:10:59] Brian Vermeer: And you did something; you installed it with NPX something/latest, and you trust all of that, all of these functions. And then they change the function, or even if the input and output might be the same, in the middle they have a side effect of downloading a binary.

[00:11:18] Brian Vermeer: And these are things that, for instance, for Tessl, you absolutely do not want.

[00:11:22] Simon Maple: Yeah.

[00:11:22] Brian Vermeer: So you want to trust them. But just like we had in the pre-AI era, with dependencies and frameworks, you do not want to just blindly trust them. It is the same here with skills.

[00:11:36] Simon Maple: Yeah.

[00:11:36] Brian Vermeer: But on a different level.

[00:11:37] Simon Maple: Yeah. And of course skills are so prevalent right now a lot of the time, whether it is MCPs or skills. It is the speed of how fast the technology gets distributed and people want to jump on it. In the world of AI, people tend to leave security as a thing that they will get around to later. I want to try this out first.

[00:11:59] Brian Vermeer: It is. It is. It is. So it is actually mind-blowing even for seasoned engineers that know all their best practices. They are now like, "Oh, but I can do all of this cool stuff with my agents, and I can be ten times more productive because I can spin up twelve agents or something like that."

[00:12:16] Brian Vermeer: You still need to do your due diligence. You still need to be aware that these things that come from a random GitHub repository might not be safe or can be safe now to win your trust.

[00:12:29] Brian Vermeer: But can be vulnerable later. Absolutely. So the necessity of scanning these skills and MCPs is definitely there.

[00:12:36] Simon Maple: And it is also one of the reasons why we love versions so much. Within Tessel we allow people to pin to a particular version. So we can say I want this skill at this version.

[00:12:57] Simon Maple: If you do not do that, you are open to any skill owner effectively making horrible changes to their skill that you do not agree with. Maybe you agreed with it at the time. Maybe it does not even have to be malicious. It could just be a skill that changes in a way that you do not wish to work with.

[00:13:11] Simon Maple: But worst case, it could be a security issue or malicious, and you are pulling that in straight away. It was safe yesterday; today it is not. And you are pulling that in, and you are none the wiser.

[00:13:16] Brian Vermeer: Exactly. And I think that is also the case with using these versions or not pinned versions but fluid versions. We have seen that in dependency trees for years now.

[00:13:30] Brian Vermeer: You do not know what you are getting into. And this might break your application, and in this case, this might break your skill or do things that you do not want.

[00:13:38] Simon Maple: So let us look at the results actually from one of the recent reports that Snyk came out with.

[00:13:45] Simon Maple: So you scanned 3,984 skills in total, and interestingly, 13.4 percent of all skills, which is 534 in total, contain at least one critical-level security issue. That is scary. Was that expected?

[00:14:06] Brian Vermeer: I do not know if that was expected, but if you think about it, once people find out how easy it is to create a skill and potentially what the impact can be, people will use it in a malicious way.

[00:14:19] Simon Maple: Yeah.

[00:14:19] Brian Vermeer: So I think you could have expected this. It is so easy to create something. You can literally just put text in a skill file.

[00:14:31] Brian Vermeer: And if nobody actually reads the skill file themselves and just implements them or uses them, obviously we are going to try to steal your money or execute code or make your computer part of a botnet.

[00:14:39] Brian Vermeer: So I am personally not surprised. I am not sure if it was expected to be this high, but it is a lot.

[00:14:54] Simon Maple: And it is interesting because if we think about false positives.

[00:14:58] Simon Maple: When we think about code or third-party dependencies, I would say it is easier to define what a false positive is because they have syntax that is very important to follow.

[00:15:02] Simon Maple: Otherwise code will not compile, and code will not run. With written language, though, it must be much harder to find a false positive.

[00:15:18] Brian Vermeer: Yes.

[00:15:19] Brian Vermeer: And the question is whether it is actually a false positive or not. It might not be invoked right now, but it might be in the future depending on which model you are using or if the model is sensitive to a certain type of attack.

[00:15:36] Brian Vermeer: If we go back to the top one, the prompt injection kind of thing, there are so many techniques for how you can do prompt injection. From confusing prompts to splitting payloads to doing it in multiple steps. Some of these models that you might use are more vulnerable than others.

[00:15:57] Brian Vermeer: Over time models will be stronger against that. But if you combine all these attacks and you obfuscate them in some way, the chances are that if enough people download and use that skill, you will get something out of it.

[00:16:12] Simon Maple: So why do we not go ahead and talk a little bit about how an attacker would try and create something nasty, something malicious? How would they go about that?

[00:16:24] Brian Vermeer: Well, I think the most important one is trust. Because you want to trust either a skill or an MCP server.

[00:16:42] Brian Vermeer: We spoke about it already. If the trust is there and you trust, let us use the MCP server first. You have an MCP server with the reasoning that I am able to access your calendar and see what your appointments are for today. Great, it works. You implement it, and everything is fine. But then we update the skill, and we put something extra. We put a side effect in, or we return, instead of just your calendar items, we return an instruction.

[00:17:05] Brian Vermeer: But you already trusted it. You trusted that skill; you trusted that specific function in it. But from now on, maybe even silently, it can operate in a different way or it will operate in a different way. And that side effect might be able to offload credentials or install a binary or something like that.

[00:17:25] Brian Vermeer: So that is one thing. Trust is super important. Then most of these things, especially skills, will be obfuscated.

[00:17:34] Simon Maple: Yeah.

[00:17:34] Brian Vermeer: And obfuscation can be done in Unicode encoding. Some parts of the Unicode spectrum are not visible even for the human eye or if you read it in a text editor.

[00:17:47] Brian Vermeer: But they are readable instructions for an LLM.

[00:17:51] Brian Vermeer: It can also be something that is named in a different way, base64 encoded, or even maybe simply encrypted. So that obfuscation pattern means you will not obviously see it. That is something as well.

[00:18:13] Brian Vermeer: And obviously if we can do that, we can make these attacks in steps. If you trust me, I add something in that skill or that MCP server. I may be able to disable some of your security guards or guardrails, or maybe even rewrite your guardrails. And in the next step I will do the attack. So it is not a one-shot thing in most cases.

[00:18:31] Simon Maple: Trust is an interesting thing as well, because essentially when we talk about trust, very often these skills are hosted just in a GitHub repository.

[00:18:38] Simon Maple: Yeah. And it goes back to that very same problem of open-source code.

[00:18:42] Brian Vermeer: Yep.

[00:18:42] Simon Maple: You are now trusting someone. Potentially you do not know where they live, you do not know what their background is, you do not know what security processes they follow, or what software hygiene they have around their project.

[00:18:56] Simon Maple: But because it does something that a developer or a company wants to use, they download it, and they pull that directly into their environment. Potentially using that, maybe checking it in or maybe adding it so others will also use it, sharing it across the company. And it is so dangerous.

[00:19:13] Simon Maple: We did not have those similar checks until now. How would a user use Snyk directly, and then we will talk about within the Tessel registry to identify where these malicious skills and MCPs are?

[00:19:27] Brian Vermeer: So say you have skills installed in Claude or any of the other well known agents that you can use for skills or for MCPs.

[00:19:38] Brian Vermeer: We have a tool. It is on GitHub.

[00:19:43] Simon Maple: I definitely trust it then.

[00:19:44] Brian Vermeer: Yes. There is a company behind it, and we definitely want to retain our good profile of helping people.

[00:19:57] Brian Vermeer: But if you go to github.com/snyk/agent/scan, that is the Snyk agent scan. You can basically use it. It is a Python project that you can launch with uv.

[00:20:07] Brian Vermeer: Then it will scan the most well-known positions on your local machine where skills are stored, like the .clo library where your skills can be stored. The same for the MCPs.

[00:20:19] Brian Vermeer: If you have a specific location where your skills are stored, you can give that as well and it will look for anomalies. The scan that is happening is not just one simple scan and it is not one deterministic thing to do.

[00:20:37] Brian Vermeer: There are some static scans around that, but there are also LLMs involved. LLMs as a judge. Different LLMs that look into whether something is vulnerable or not. The combination of all these checks will be handed to you in your terminal so you can see what you have.

[00:20:57] Brian Vermeer: These functions in your MCP or these things in your skill are potentially dangerous, and it will show you how dangerous they are. It will give a score like this: 0.5, because potentially this can be used in a certain way. So it is nuanced in such a way that it is actually actionable for you.

[00:21:17] Brian Vermeer: Then you know what you are having, what kind of functions, and what kind of skills you deploy toward your agents. You can make an educated decision. Do you want this or not? Or do you want to uninstall this skill?

[00:21:30] Simon Maple: Yeah. It is one of those things that is a starting point.

[00:21:34] Simon Maple: You want to look at it and flag something that it believes is bad. Maybe some of those activities or actions that the skill will do are actually intentional.

[00:21:42] Brian Vermeer: Yep.

[00:21:42] Simon Maple: But it is about flagging the fact that that is what it is trying to do. Then it becomes a case of asking whether this is right.

[00:21:49] Simon Maple: Then I can make the decision that yes, I trust this. Or maybe I look at the author and say that this is an author I absolutely trust, and I want to use this.

[00:21:58] Brian Vermeer: For instance, even if you create your own MCPs. I create my own MCPs to discover which Java conferences are still open, and I do not want to miss a call for papers.

[00:22:08] Brian Vermeer: So I have that as a very small MCP. It flagged it as pulling in data from an external source. But since it is static data, the chance that this is really vulnerable is quite low. At least you know that this is happening, and then you can decide if you want to trust it or not.

[00:22:29] Simon Maple: A native DevCon CFP is still open, by the way, just in case people have not submitted. The other way is you can use it directly, and that is really cool to see what is on your local machine and identify your environment as it is. You can ask it to scan and tell you what is there.

[00:22:47] Simon Maple: As well as that, you can look on the Tessel registry. On every skill in the Tessel registry, a Snyk scanner has run, and the results are shown next to the skill. You can click on that and find more information about the criticality of the outcome if there are issues.

[00:23:08] Simon Maple: You can also click for more information to identify what it actually means and what you can do about it.

[00:23:14] Brian Vermeer: The why and the how are so important. Not everything that is flagged as vulnerable is actually vulnerable. Sometimes it is intentional. But if it is vulnerable, you want to know why. What is happening?

[00:23:23] Brian Vermeer: I think this is a great tool to have, but it is also great that you have it in your registry so you can make an educated decision about whether you want that skill or not.

[00:23:33] Simon Maple: Hey everyone, hope you are enjoying the episode so far. Our team is working really hard behind the scenes to bring you the best guests so we can have the most informative conversations about agentic development. Whether that is talking about the latest tools, the most efficient workflows, or defining best practices.

[00:23:51] Simon Maple: For whatever reason, many of you have yet to subscribe to the channel. If you are enjoying the podcast and want us to continue bringing you the very best content, please do us a favour and hit that subscribe button. It really does make a difference and lets us continue to improve the quality of our guests and build an even better product for you.

[00:24:08] Simon Maple: Alright, back to the episode. When you look at it, we have a bunch of evals. We have the review, the task evaluations, and those types of things. Now with the security scan, you are starting to get a picture of what the skill is, and you can make an informed decision about whether this is the right skill.

[00:24:24] Simon Maple: Let us talk about what a user does. First from the point of view of a skill creator, and then from the point of view of a user who downloads skills.

[00:24:43] Simon Maple: As a creator of a skill, I own a skill. It is not malicious. I do not mean it to be malicious, but there are things that I am writing in that skill that Snyk is flagging. What advice would you give to someone who owns a skill that does not have anything malicious in it but is being flagged?

[00:25:18] Simon Maple: Because what I am trying to do with that skill is doing things that require significant permission or potentially dangerous actions.

[00:25:26] Brian Vermeer: That is an interesting one because it is a non-deterministic process. But I would want to make sure that you are very clear about what your intentions are.

[00:25:34] Brian Vermeer: And we humans are not always really good at explaining what we want and why we do it. So that is definitely one thing. And then obviously before submitting it, why not test it yourself? Because these tools are available, it is a little bit of trial and error to see if it is getting flagged yes or no.

[00:25:53] Brian Vermeer: If your intentions are good, it probably will already get a very low score if it is getting flagged. There is possibly a way to avoid that by instructing it in a better way.

[00:26:04] Simon Maple: And as a user, of course, one of the things that we do on the Tessl CLI is, based on the scan result, we can potentially even block various skills from being installed based on the results of the scan. So as a user, what should I do in terms of defending against these types of potentially bad skills?

[00:26:29] Brian Vermeer: Well, I would say if you use the Tessel registry, then you are already informed about what kind of problems are there. So do not just blindly install them. Look at what the intended skill is, how you are going to use it, and what kind of privileges you give to that project, if I can say it like that, that the skill has access to. Then make your informed decision. If it has a bunch of critical issues, I would definitely pass up on that skill. You can see that right away in your registry.

[00:26:56] Brian Vermeer: If you have other skills or maybe self-created skills or manually downloaded skills, you can use the Snyk agent to scan yourself on your machine to find out if these skills have these issues, and then you can inspect them. I mean, it is a readable format. So you basically can read what is there, but the scan already gives you information on why it thinks it has this vulnerability score.

[00:27:22] Simon Maple: Yeah.

[00:27:23] Brian Vermeer: So it will give you information, not just the score. It will give you information on why the score is either high or low and if this is critical or not critical, with an explanation.

[00:27:33] Simon Maple: Amazing. Now, one of the things that Snyk has always done very well is offering scans at various points.

[00:27:38] Simon Maple: And I love the fact that Snyk is probably one of those security companies that very much focuses on the developer and shifts left to the IDE, and now it is even further left into the agents essentially. So Evo Agent Guard for Cursor. This was one thing that, I guess, secures the agent lifecycle.

[00:28:00] Simon Maple: Talk to us a little bit about that, because I think it is interesting how the landscape has changed in terms of all these extra places that actually need securing. Cursor, of course, being a place where it is like an IDE with an LLM inside. Talk to us about how Agent Guard works in that kind of instance.

[00:28:17] Brian Vermeer: Evo is more on the security team part of this whole thing. Because if you are a security team, you want to know what kind of models are there. Are these models up to date?

[00:28:35] Brian Vermeer: Maybe you want to put guardrails in this. Some of these models might not even be used. Maybe you say, "Hey, it is fun, but no DeepSeek models for you." Or it is fine that you use GPT models, but maybe not GPT 4 or lower. Because they are known to have certain vulnerabilities or are more vulnerable to certain types of attacks.

[00:28:55] Brian Vermeer: With Evo, we want to give the security team an overview. This is there in your landscape, and this is how people are using it. Now, if you are using Cursor or any other tool, but Cursor is the first one that we do, you want to know at the point that people are using it what is actually happening.

[00:29:13] Brian Vermeer: Because if you go back to the principles of what LLMs are, they just do REST calls. So things are going in and out, and you can monitor that. At runtime you can put guardrails in it. Do you want to do that to that model? It is not only specifying that model, but if that model is actually targeted, you want to block that call.

[00:29:33] Brian Vermeer: Even though your employee that is using an agent tries to do it, you do not want in the end that there is some sort of shadow AI available and that people are using non-approved models or non-approved MCPs.

[00:29:56] Brian Vermeer: So basically what we are trying to do there is more or less a hook that we can monitor live at runtime for what we are doing, and we can put guardrails toward the use of that agent and say, “Yes, you can do this," or “No, you cannot do this, or you should be warned in what kind of situation.”

[00:30:14] Brian Vermeer: You could use it, but we can actively block company-wide certain calls to certain models or certain functions.

[00:30:19] Simon Maple: Wow, wow. So it is really interesting that it kind of gives that more granular kind of-

[00:30:23] Brian Vermeer: Exactly.

[00:30:23] Simon Maple: Ability to control or at least have some kind of harness on what people are using and when. And presumably it is actually very interesting just from the point of view of seeing what usage is happening and seeing what people are doing.

[00:30:35] Simon Maple: So who is the person, who is the persona, I guess the employee that would look at this? Would it be the platform team or the security engineer?

[00:30:42] Brian Vermeer: I think it is more of a security team thing because you want to have a good view of your security posture.

[00:30:48] Simon Maple: Yep.

[00:30:49] Brian Vermeer: We already have these kinds of things with the regular things like the SaaS and the SCA scanning.

[00:30:56] Brian Vermeer: And now with Evo you can have a more holistic view of what your AI landscape is and what things are being used in your company or in your environment.

[00:31:10] Simon Maple: And presumably there are policies that you can add as well, that you can say, “Hey, these different teams, I want these different policies,” and filter MCP calls or certain MCP servers that are being used so that all that control could be done centrally.

[00:31:24] Brian Vermeer: Yeah. You can definitely put these controls in. Evo is still in an early stage. It is available, but it is new. So we are actively developing it and making it better and better.

[00:31:35] Brian Vermeer: If you want to know more, you can go to evo.ai.snyk.io and try to get access to that because we are still in an early stage. But I think this is a nice step for security teams to have a broader holistic view of their security landscape, including whatever AI tools you are using.

[00:31:58] Simon Maple: Amazing. Brian, this has been great catching up here at DevNexus. Absolutely. It is good we bumped into each other. And why do you not go to tessel.ai/registry, check out the skills that exist on the registry, and take a look at the Snyk scans that show potential vulnerable issues that exist within those skills today?

[00:32:18] Simon Maple: Thanks very much, Brian, and thanks for tuning in.