https://luispa.com/en/tags/supply-chain/Recent content in Supply-Chain on Technical NotesHugoen-USSun, 24 May 2026 00:00:00 +0000https://luispa.com/en/posts/2026-05-24-cuidado-con-las-skills/Sun, 24 May 2026 00:00:00 +0000https://luispa.com/en/posts/2026-05-24-cuidado-con-las-skills/<img src="https://luispa.com/img/posts/logo-cuidado-skills.svg" alt="Beware of Skills Logo" width="150px" height="150px" style="float:left; padding-right:25px" /> <p>Sancho is skeptical by design, and with Skills you need to be more skeptical than ever. In my note <a href="https://luispa.com/en/posts/2026-01-25-sancho-aprende-skills/">&ldquo;Sancho Learns Skills&rdquo;</a> I described how convenient it is to download a ready-made Skill and plug it into your agent. What I didn&rsquo;t mention is the dark side: every Skill you download from a public marketplace is <strong>someone else&rsquo;s code that your agent will run with your permissions</strong>.</p> <p>That&rsquo;s the new weak link in the supply chain: attackers are already poisoning these repositories with malicious Skills. In this note I lay out a few ideas to protect yourself.</p> <br clear="left"/>