This week's articles
3 Principles for Designing Agent Skills
Block Engineering discusses designing agent skills using three principles: make deterministic outputs script-based, let agents handle interpretation and conversation, and write explicit constitutional constraints. Skills codify tribal knowledge into executable documentation for AI agents across their organization.
MCP Server Security: The Hidden AI Attack Surface
MCP servers connecting AI assistants to external tools create significant attack surfaces enabling arbitrary code execution, data exfiltration, and social engineering. Both local and remote MCP servers can be exploited through server chaining, supply chain attacks, and malicious tool implementations.
|
|
Sponsor
Rogue cloud assets giving you headaches? Discover every AWS, Azure, and GCP instance your developers have ever created—including the ones they forgot about—with Nudge Security. Within minutes of starting a free trial, you’ll have an inventory of:- Cloud instances and accounts
- Services, domains, organizations, and other resources
- Billing data to help you avoid surprise expenses
The best part? Your inventory will include assets created in the past, not just a forward-looking view when new assets are added (but you’ll get that too).
Get started today
|
|
|
Tools
brutus
Fast, zero-dependency credential testing tool in Go. Brute force SSH, MySQL, PostgreSQL, Redis, MongoDB, SMB, and 20+ protocols. You can also check out the companion blog post.
tabiew
A lightweight TUI application to view and query tabular data files, such as CSV, TSV, and parquet.
caterpillar
Caterpillar is a security scanning library for AI agent skill files (e.g., Claude Code skills) for dangerous or malicious behavior.
add2abm
MacOS script to re-trigger Setup Assistant for ABM/ASM enrollment without wiping the device.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌 If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|