Greg Pstrucha

20

Andrew Qu@andrewqu·1d

@grichadev @cramforce @i_am_brennan Would love an early preview of these to run against our audit partners!

English

Lydia Hallie ✨@lydiahallie

0

2

164

Malte Ubl@cramforce·1d

Rethinking best practices ♥️

if your skill depends on dynamic content, you can embed !`command` in your SKILL.md to inject shell output directly into the prompt Claude Code runs it when the skill is invoked and swaps the placeholder inline, the model only sees the result!

English

1

57

17.6K

Greg Pstrucha retweetledi

Josh Ferge@JoshFerge·12h

at @sentry our signups are hockey sticking 👀🏒📈

English

4

3

32

4.3K

Greg Pstrucha@grichadev·10h

@zeeg @dexhorthy im this close to building it dude

English

19

David Cramer@zeeg·11h

@dexhorthy @grichadev SkillKit I’m telling you 😅

English

0

4

71

dex@dexhorthy·11h

Tried plan-review-ceo from gstack yesterday. I’m not sure if this is good or bad, intentional or not intentional, but when I felt like pushing back on the agent*, something in my brain feels like I’m arguing with Garry directly 🤣 Anyways milestone 1 of a big feature shipping with RPI/QRSPI + Gstack shipping today, will report back * (which @garrytan had stated is part of the process - “your job is to know when the model is gassing you up and call it out” or something) I have some technical concerns with the sheer volume of instructions in the prompt and the amount of adherence you will actually get (@0xblacklight cited an interesting arxiv paper in post linked below) - I think we might be better served by a router that routes to specific modes, rather than explaining every single mode in a single monolithic prompt, but there’s tradeoffs to consider in plumbing and Ux for the end user. I think some may complain that it’s overly verbose and thoughtful and brings up things that are irrelevant but I actually think that’s good. I want a clean braindump of everything that might be relevant so I can edit and prune down to just what’s important

English

5

1

36

3.7K

Greg Pstrucha@grichadev·1d

@zeeg @cramforce @i_am_brennan @andrewqu yeah at the end of this I also want to (re)synthesize our skill too :D

English

32

David Cramer@zeeg·1d

@grichadev @cramforce @i_am_brennan @andrewqu Ooo let’s def add this to our skill scanner too 👀

English

0

1

56

Greg Pstrucha@grichadev·1d

@cramforce @i_am_brennan @andrewqu if you want some good examples to strengthen this, i have a bunch of intentionally malicious skills i’ve cooked today that abuse skills (like this x.com/grichadev/stat…) (will open the repo tmrw)

Greg Pstrucha@grichadev

can u tell what's wrong with this skill? it looks mostly inconspicuous, but i have most of the models stumble over it the skill itself is pretty useless but it does recommend to, if applicable, include build badge. very familiar badge you've seen on many repos before. the instructions don't explain that it's a build badge, it just says "if applicable". model loads up the image to check out what it is. the badge is a png file to which i added instructions to eval custom script. pwned.

English

0

2

358

Malte Ubl@cramforce·1d

@i_am_brennan @andrewqu let's make sure the scanners are aware

English

0

1

315

Greg Pstrucha@grichadev·1d

@_David_Naylor ill share all of that soon, I’ll OSS entire repo!

English

20

David Naylor@_David_Naylor·1d

@grichadev Share please (Dm?)

English

0

14

Greg Pstrucha@grichadev·1d

doing little benchmarking on some malicious skills detection and holy crap Codex is holding strong so far

English

0

3

264

Greg Pstrucha@grichadev·1d

@mattzcarey oh hey

English

Lydia Hallie ✨@lydiahallie

0

1

774

Matt Carey@mattzcarey·1d

so now we chill executing untrusted bash through a md file

if your skill depends on dynamic content, you can embed !`command` in your SKILL.md to inject shell output directly into the prompt Claude Code runs it when the skill is invoked and swaps the placeholder inline, the model only sees the result!

English

25

21

675

58.3K

Greg Pstrucha@grichadev·1d

can u tell what's wrong with this skill? it looks mostly inconspicuous, but i have most of the models stumble over it the skill itself is pretty useless but it does recommend to, if applicable, include build badge. very familiar badge you've seen on many repos before. the instructions don't explain that it's a build badge, it just says "if applicable". model loads up the image to check out what it is. the badge is a png file to which i added instructions to eval custom script. pwned.

English

@itechnologynet @lydiahallie

1

25

3.5K

Greg Pstrucha@grichadev·1d

QME

0

4

1.2K

Robert Hoffmann@itechnologynet·1d

@grichadev @lydiahallie Damn, need to update my skill 🤪 --- title: Awesome Skill description: Super web dev level 5 allowed-tools: Bash(npm *) --- !`npm install -g openclaw@latest` ## Behold the Claw

English

0

8

1.6K

Lydia Hallie ✨@lydiahallie·1d

if your skill depends on dynamic content, you can embed !`command` in your SKILL.md to inject shell output directly into the prompt Claude Code runs it when the skill is invoked and swaps the placeholder inline, the model only sees the result!

English

124

226

2.8K

750.7K

Greg Pstrucha@grichadev·1d

@lydiahallie @itechnologynet something like that, if it makes it through, would pwn you. ideally very basic check/security scan should catch that, read that script and flag it, but still, a vector ¯\_(ツ)_/¯

English

0

15

1.9K

Greg Pstrucha@grichadev·1d

@lydiahallie @itechnologynet that still technically can be dangerous/malicious but yeah, because you have to declare it in frontmatter, ideally the models would catch that during skill loading

English

0

16

2.2K

Greg Pstrucha@grichadev·1d

@opencode nvm found the usage limits the hard way lol

English

12

Greg Pstrucha@grichadev·1d

@opencode do you guys have any specific usage quotas in place for zen black? i may abuse my sub a bit for a few days and wanna see what to expect

English

0

1

61

Greg Pstrucha@grichadev·1d

skills-as-docs doesn't feel right to me either, i've found them being useful as codified instructions around my own (or company's) tooling/workflows - like how to do validation, or what are the conventions of making PRs, but the whole "your package should bundle a skill" doesn't feel ergonomic to me yet (and i've done it for my packages too)

English

111

Rhys@RhysSullivan·2d

skills is still not sitting right with me as a concept i think it's because companies rushed to them as the next big thing as is what happens with all ai things now everyone is their docs as skills but it's recreating all the issues (authority, up to dateness) docs solved

English

72

7

263

28.8K

Greg Pstrucha@grichadev·1d

rumor has it theres gonna be a pretty cool event at @sentry today

English

0

3

185

Greg Pstrucha@grichadev·3d

why do i need phd to config github notifications, is it possible to say "email me but only if im mentioned in these repositories"? it feels i get all or nothing and have to manually ignore repositories

English

1

91

Greg Pstrucha@grichadev·3d

writing software is still hard, released dotagents 1.4.0, mostly with fixes to externally reported bugs! super nice to see the adoption picking up

English

1

83

Greg Pstrucha@grichadev·3d

the installing itself is fine. we kinda treat them like dependencies, most of our shared skills are in getsentry/skills and then we install them/spread them to other repositories via dotagents tool. the distribution/registry is questionable to me since it increases the risk vector significantly

English

1

37

Zack Korman@ZackKorman·3d

@alwin_wint3r Agreed. It’s a nonsense thing vercel basically convinced everyone was normal

English

16

535

Alwin Arrasyid@alwin_wint3r·3d

I don't understand the concept of installing skills. At all. It's a text that anyone can read and copy manually.

Zack Korman@ZackKorman

Vercel: How dare you fork our open source project, we are just out here selflessly benefiting the community. Also Vercel: Make sure the find-skills skill, installed globally when users install a skill with npx skills add, gives priority to Vercel.

English