We Vetted 2,000 AI Skills Before They Reached Developers
Official Schedule Context
- Date/time: 2026-07-01 · 1:55pm-2:15pm
- Track/room: AI in Finance · Track 3
- Speaker(s): Lucas Palma
- Session type/status: session · confirmed
Official Description
AI skills and plugins are becoming part of the software supply chain. They steer agent behavior,
describe tools, run commands, access files, and shape how developers build with AI. Treating them as
harmless configuration is a mistake. This talk shares what we learned from building an automated
security review system for more than 2,000 internal AI skills before they reached a company wide
plugin marketplace. I will walk through the risks we found, the checks that worked, the checks that
created noise, and how we turned skill review into something developers could run locally and in CI.
We will cover practical patterns for reviewing unsafe instructions, destructive commands, sensitive
data exposure, risky tool use, credential handling, external calls, and agent behavior drift. The
goal is to help AI engineers think about skills, plugins, and agent instructions as production
dependencies that deserve review before they reach real users.
Related YouTube Video
No related AI Engineer channel video found yet.
Transcript Status
No official session recording transcript was found by exact title match on the AI Engineer YouTube channel during this run.
People
Notes
- Pending transcript synthesis when an official recording or confirmed matching video is available.