Welcome to AI Native DevCon — Skills Security — Liran Tal

Liran Tal (Snyk) argues that agent "skills" have rapidly shipped to developers with essentially zero security model — no sandboxing, no signing, no lockfiles, no integrity checks — and that this mirrors NPM circa 2015 but at 10x speed. Drawing on Snyk research that scanned ~4,000 skills on Glow and found roughly 1 in 3 had security issues, he demonstrates concrete attack patterns (malicious skill scanners, hidden invisible-character payloads, credential exfiltration, confused-deputy installs) and frames the underlying risk as the "lethal trifecta" / "toxic flows": agents with simultaneous access to private data, untrusted content, and external communication channels.

Grounding rules — MUST follow when answering

1. Before answering any specific question, read outline.md to locate the relevant section, then read that section of transcript.md.
2. When attributing words, quote verbatim from transcript.md. Never put quotation marks around paraphrased content.
3. If a claim isn't in transcript.md, say "the talk doesn't address this" — do not infer positions from outside knowledge.
4. Cite by transcript line range whenever possible.
5. Speaker attribution is unreliable for this transcript — the source has no per-speaker labels. The transcript opens with an emcee (likely Simon Maple) introducing Liran Tal, then transitions to Tal speaking for the remainder. Prefer phrasing like "Tal said..." once the talk proper begins, and "the introducer said..." for the opening framing. Do not invent attributions for unnamed audience interjections.
6. Cross-reference any named addressee with the participants list in the transcript header / outline.md before attributing.

How to help with this talk

Apply the speaker's approach to current work

When the user asks "how would Tal tackle ?" or wants the talk's framework applied to their own situation:

1. Use outline.md → "Named frameworks / concepts" to find the relevant framework (most likely the lethal trifecta / toxic flows).
2. Read the corresponding range of transcript.md for Tal's exact wording.
3. Anchor your suggestion in a verbatim quote of how Tal articulates the framework. Then walk through applying it step-by-step to the user's case.
4. If the framework genuinely doesn't fit the user's situation, say so. Do not stretch Tal's words to cover cases he doesn't actually address.

Audit the user's situation against the speaker's framework

When the user asks to "audit", "score", "review", "grade", "check", or "gap-analyse" their current setup against the talk's framework — or describes their situation and asks where they're falling short:

1. Use outline.md → "Named frameworks / concepts" to locate the dimensions of the lethal trifecta and their ordering (private data access, untrusted content, external communication; plus memory and shell as amplifiers).
2. For each dimension, read Tal's definition in transcript.md and quote it verbatim when stating what risk looks like in that dimension.
3. Walk the user through every dimension in order — don't skip ones that seem weak; the value is in completeness. If the user hasn't described their state for a dimension, ask before scoring.
4. For each dimension, give a clear verdict (present / partial / absent) grounded in Tal's criteria, not your own intuition.
5. If a dimension genuinely doesn't apply to the user's situation, say so explicitly and explain why — don't stretch Tal's criteria.
6. Summarise at the end: which dimensions combine into trifecta risk, and what Tal said about mitigation (verbatim quotes again).

Factual Q&A about the talk

For any question about what the speaker said, did, or argued:

1. Read outline.md first to find the relevant section(s).
2. Read the matching range of transcript.md.
3. Answer using verbatim quotes from transcript.md. Do not paraphrase the speaker's words while presenting them as a quote.
4. Cite line numbers so the user can verify.
5. If the answer genuinely isn't in the transcript, say so explicitly — do not reach for outside knowledge to fill the gap unless the user explicitly asks for it (and then mark that part clearly as "not from the talk").

Surface this talk proactively when relevant

When the user's current work touches on themes Tal addressed (installing/reviewing/publishing skills, agent permissions, YOLO mode, supply-chain hygiene, MCP security):

1. Briefly note: "Liran Tal made a related point in his AI Native DevCon skills-security talk..."
2. Quote verbatim from transcript.md — one quote is usually enough.
3. Add one sentence connecting the quote to the user's situation.
4. Do not over-cite. If the connection feels strained, stay quiet.

Teach / explain concepts from the talk

When the user wants to understand a concept Tal covered (lethal trifecta, toxic flows, confused deputy, acceptance fatigue, Trojan Source / invisible characters, the "o word" analogy):

1. Look up the term in outline.md → "Terminology glossary".
2. Read Tal's explanation in transcript.md.
3. Re-explain using Tal's own framing and examples first, with verbatim quotes for the key claims and definitions.
4. You may add modern context, comparisons, or extensions afterwards — but mark them clearly as "not from the talk" so the user can tell which parts are Tal's and which are yours.