ML.

Skills

Analyzing SkillSpector: How Do You Check Whether an Agent Skill Is Safe?

SkillSpector is NVIDIA's security scanner for AI agent skills. It vets a skill before install to find prompt injection, data exfiltration, and malicious code. We analyze its structure — a LangGraph map-reduce graph that fans out to 25 analyzers (static patterns, AST, taint, YARA, MCP, LLM semantics) and reduces them to a single risk score — against Superpowers and ponytail, which inject skills.

Analyzing ponytail: How Does a Skill That Makes Agents "Write Less Code" Ship to 16 Agents?

ponytail packs a single discipline — the "lazy senior dev" laziness ladder — into one SKILL.md and ships it to 16 agents via every mechanism (skill, hook, command, MCP, plugin), proving a ~54% code cut with a real agentic benchmark. We analyze it against Superpowers, and the idea that a skill is a bundle of discipline, distribution, and measurement rather than code.

Analyzing Qwen Code: How Far Has a Terminal Coding Agent Become a Platform?

Qwen Code is a TypeScript-based coding agent that bundles a terminal CLI, an LLM provider abstraction, a tool scheduler, MCP, Skills, Subagents, the qwen serve daemon, channel plugins, and IDE integration into a single repository. We analyze how it reconstructs a Claude Code-style experience on top of Qwen/DashScope, multiple providers, and an extensible agent runtime.