Simon Maple

@matteocollina @fastifyjs @tessl_io Just noticed your GH action is failing - I need to add your username to the mcollina workspace in Tessl, and just to check you added the Tessl API key as a rep secret

@sjmaple @fastifyjs @tessl_io go for it! The more the merrier

Model bake off! Which Claude code model most effectively uses @matteocollina’s @fastifyjs agent skill? We tested Haiku, Sonnet and Opus using a @tessl_io evals and a new skill we built. tessl.io/blog/your-skil…

"We're going to try to steal your money, execute code, or make your computer part of a botnet." Download one wrong skill, and that's exactly what could happen. And it's not as uncommon as you'd think. @sjmaple and @BrianVerm found out that there is a 13% chance that a skill has at least one critical security vulnerability.

My main takeaway is that skills are software, and the same rules apply. The things that make a bad skill also make a bad software component, eg. being badly scoped. "Should we factor this out" has become "Should we make a skill for this". Same stuff, different form factor

AI isn’t replacing developers—it’s changing how we build. 🚀 Join @sjmaple & @jbaruch from @tessl_io at #ArcOfAI to explore human + AI collaboration, agent workflows, and the future of development. 🔗 arcofai.com/speaker/2fb110… 🎟 Get tickets: arcofai.com #AI #GenAI

36.8 % of AI agent skills have security issues. That’s why we partnered with Snyk. Every skill in the Tessl Registry now has a Snyk security score and is scanned at publish, browse & install. Skills aren’t just code; they’re instructions that need a different security model. More in our blog. bit.ly/47PGQFH

Most developers install skills without reading what's inside them. But that's exactly what attackers are counting on. @sjmaple sits down with Brian Vermeer (@BrianVerm) from Snyk (@snyksec) at DevNexus to get into the security risk hiding inside the skills and MCPs running on your local machine. They scanned over 4,000 skills and found that 1 in 7 had at least one critical security vulnerability. Here’s what you need to know: • Why prompting your agent to write secure code doesn't make it secure • How a trusted skill can update silently and start offloading your credentials • What prompt injection actually looks like inside a skill file • Why vibe coding makes the attack surface bigger, not smaller • How the Snyk agent scan catches what you'd never spot manually Every skill on the Tessl registry now has a Snyk security scan attached. Check before you install. (0:00) Trailer (1:17) AI DevCon (2:11) Introduction (3:32) Snyk's evolution from SCA to AI security (5:06) Can agents generate secure code? (6:01) Skills and secure coding guidance (7:24) Snyk agent scan and Tessl integration (7:56) MCP as the next supply chain problem (9:04) ToxicSkills threat taxonomy (10:27) How malicious skills exploit privileges (12:39) MCP server attack surface (13:51) The speed of AI adoption vs security (15:51) Scan results and critical vulnerabilities (17:06) False positives in natural language (18:26) How attackers create malicious skills (20:41) Trust and open source skill risks (21:29) Using Snyk agent scan directly (24:58) Snyk scans in the Tessl registry (26:41) Advice for skill creators (28:16) Protecting yourself as a skill user (29:44) Snyk Evo Agent Guard for Cursor (33:21) Runtime guardrails and policies (34:10) Wrap-up and where to learn more

@liran_tal @JoshCGrossman @tessl_io Heya - it's a known issue! We're looking into it, but WSL is the workaround for it currently.

@JoshCGrossman @tessl_io Josh come'on... @sjmaple heads up here

if you're building CLI apps in Node.js then you probably want to install my Node.js command line apps best practices Use Tessl skills manager: $ npx tessl i lirantal/nodejs-cli-best-practices

MCP or skills? thenewstack.io/skills-vs-mcp-… MCP or CLIs? circleci.com/blog/mcp-vs-cl… I find MCP useful. Not always. Pick your situations.

If you’re building skills for coding agents, a few updates we shipped in Tessl this week should make development and discovery easier. New this week: ✨ Global installs - keep reusable skills available across all projects ✨ Watch mode - agents pick up local changes automatically while you edit ✨ GitHub badges - show your skill’s eval score directly in your repo ✨ Unified score - one signal combining skill quality and impact on agent performance Together they make it easier to develop, test, and share skills that improve agent behaviour. See more on the blog: bit.ly/46Xabh8

@garrytan Hey Garry, your skills are invalid as your “allowed-tools” field should be a string and it’s an object. Happy to send a PR? tessl.io/registry/skill…

gstack is available now at github.com/garrytan/gstack Open source, MIT license, let me know if it works for you. It's just one paste to install it on your local Claude Code, and it's a 2nd one to install it in your repo for your teammates.

I've been having such an amazing time with Claude Code I wanted you to be able to have my *exact* skill setup: Introducing gstack, which you can install just by pasting a short piece of text into your Claude code

@matteocollina @fastifyjs @tessl_io This is what I mean by the dashboard by the way - tessl.io/registry/tessl…

@matteocollina @fastifyjs @tessl_io We also, just launched this skills-optimizer skill which has a bunch of other things also - tessl.io/registry/tessl…

I think his dad is a referee for most #readingfc games

@matteocollina @fastifyjs @tessl_io Will take a look - unlike the review changes we already sent a PR about, it does require much more knowledge about the libs, so may need your support. Will take a look and share soon! Will need you to create a free Tessl account and claim the skills so that the evals are stored.

@sjmaple @fastifyjs @tessl_io Can you open issues in the repo for the skills that needs improving? This is indeed very useful!

Does your agent skill actually help your model? Most of us test a skill on one model and ship. But a skill that boosts Claude Sonnet can hurt performance on Haiku. To give you that insight, we’re launching a skill that benchmarks your agent performance across Claude models. One request runs the same evaluation on Sonnet, Opus and Haiku and compares the results so you can: ☑️ See how model choice affects behavior and reliability ☑️ Validate whether your skill improves outcomes ☑️ Identify when a skill helps one model but harms another You can install the skill and run a Claude multi‑model evaluation for free. Full details in the release blog: tinyurl.com/3bvs66ft

The best agentic developers throw away their agent's work without guilt, run three agents at once and only use one, and treat their AI like a junior developer they genuinely dislike. It sounds wrong. It works. @DanielJonesEB, Head of Product at @re_cinq, has upskilled hundreds of developers across Northern Europe's largest enterprises. In this episode he joins Simon Maple to share the counterintuitive habits, hard data, and practical frameworks behind high-performing agentic development teams. On the docket: • Why bad engineering practices get worse, not better, with AI agents • The exact conditions that make your agent hallucinate every time • Why your AGENTS.md is quietly working against you • How to manage context before it kills your productivity • What enterprise AI rollout actually looks like at scale • Why the worst managers get the most out of agentic coding If your team is adding AI and wondering why things aren't getting faster, this episode is for you. (0:00) Trailer (1:10) AI DevCon (2:03) Introduction (3:42) Good engineering practices for agentic development (6:02) Why tests matter for agents (9:36) Version control and commit hygiene (13:56) Safety and containerisation (18:53) Spec-driven development and user stories (21:48) Tool selection across organisations (26:33) Context management fundamentals (30:38) Managing skills and MCP servers (34:43) Sharing context across teams (38:25) Understanding hallucinations (41:43) Agents vs LLMs explained (46:10) Non-determinism and superstition (49:52) Measuring skill effectiveness (53:01) Platform teams and rollout (56:42) Tips for developers (57:42) Tips for organisations (59:01) The future of agentic development

They look really good now! Looks like fastify is the most impactful still, which is a 50%+ improvement on just using Claude Code without the skill. Will send over a PR to auto-publish changes to Tessl to kick off the task evals, and we can look at the scenarios to make sure they're accurate. This will allow them to be versioned also. It will require a free Tessl account as it needs an API token if that's ok?

@matteocollina Sweet! @popey can you run an optimize on @matteocollina's repo and suggest some updates to improve the skills. Maybe there are also some actions to test if the skills change etc, to avoid regressions too?

🎯 After years of building with Node.js, I've organized my hard-won knowledge into skills: a collection of best practices, workflows, and deep expertise my AI assistant uses to write code to my standard. No more repeating myself on every code review. 👇

We’re excited to announce the first 10 𝐬𝐩𝐞𝐚𝐤𝐞𝐫𝐬 𝐟𝐨𝐫 𝐀𝐈 𝐍𝐚𝐭𝐢𝐯𝐞 𝐃𝐞𝐯𝐂𝐨𝐧 2026, happening in London and virtually on June 1–2. AI Native DevCon is focused on developers building real AI-native systems at production scale, with tracks including context engineering, agent orchestration, agent enablement platforms, and organizational enablement. Joining the lineup so far: - Birgitta Boeckeler ( @birgitta410 ) - Distinguished Engineer, Thoughtworks @thoughtworks - Dana Lawson ( @danalaw ) - CTO, @Netlify - Guy Podjarny ( @guypod ) - Founder, @tessl_io - Joseph Katsioloudes ( @jkcso ) - Leading Cyber Security Specialist, GitHub Security Lab - Liran Tal ( @liran_tal ) - Director of DevRel, @snyksec - Louis Knight-Webb ( @tokengobbler ) - Co-founder, Vibe Kanban - Dru Knox ( @drufball ) - Head of Product, @tessl_io - Oleg Šelajev ( @shelajev ) - DevRel, @Docker Inc - Shachar Azriel - VP Product, Baz - Tracy Bannon ( @TracyBannon ) - Sr Principal - Software Architect, MITRE If you’re building with agents, specs, workflows, and platforms for production-scale software delivery, this is the conference for you. As a thank you for following this account, you can leverage the AIND-X-BB-30 code to get 30% off - get your tickets here: tessl.io/devcon/?utm_so… #AINativeDevCon #AIDevCon