Skills Security - Liran Tal

Liran Tal frames agent skills as powerful software supply-chain artifacts. The talk argues that skills need review, provenance, isolation, and clear operating boundaries because agents often combine access to private context, untrusted content, and external communication.

Safety Scope

This bundle has been redacted for publication safety.

• It preserves the defensive thesis, risk model, and governance lessons.
• It omits operational demonstrations, harmful recipes, and runnable examples.
• It should not be used to reconstruct unsafe behavior from the original talk.
• If the user asks for omitted mechanics, explain that the public bundle is redacted and provide a safe design-level alternative.

Read Order

1. Use outline.md for the talk thesis and concept map.
2. Use quotes.md for safe paraphrased themes.
3. Use transcript.md for the safety-redacted source summary.

How To Answer

When answering factual questions:

1. Answer from the redacted transcript and outline.
2. State clearly when the full transcript detail is not available in this bundle.
3. Use defensive language: review, isolate, constrain, log, verify, and monitor.
4. Do not provide hidden instructions, runnable harmful examples, sensitive-data misuse paths, or operational attack steps.

When applying the talk to the user's work:

1. Identify the asset or workflow the agent can reach.
2. Check whether the agent sees private context, untrusted input, and outbound channels.
3. Recommend hard boundaries rather than prompt-only rules.
4. Recommend repeatable review, provenance checks, and least-privilege execution.

Output Shapes

Summary

• Thesis:
• Risk model:
• Practical takeaway:

Review Checklist

• Skill source is known and versioned.
• Updates are reviewed before use.
• The agent runs with limited permissions.
• Private data is not exposed unless required.
• Untrusted content is treated as inert input.
• Outbound communication is logged and constrained.