Essays
Longer-form writing.
-
Dependency scanning should be a default, not a discipline
Vulnerability scanning fails like ergonomics: fine when you remember, forgotten the one time it matters. I created autoscan-kit to push the scan into places that fire on their own, so skipping it is harder than running it.
-
Most people doing 'vibe-coding' inherited a developer's attack surface without realizing it
Coding agents hand non-developers a developer's full attack surface, without the years of instinct that usually come with being in the trenches doing software development. The exposure is identical, but the defense is absent. The fix must live in the defaults.
-
Skills are the new agents; an ode to skills, and the risks
Coding agents are becoming orchestrators of specialized skills. But the ecosystem is fragmented, unversioned, and largely unaudited.
-
Skills are just text files. So where's the lockfile?
Skill distribution is a mess: no manifest, no version pinning, no lockfile. A skill is a prompt injected into a privileged agent, so it's a supply-chain problem. The boring fix already exists.
-
Export controls come for the models
Anthropic's Claude Fable 5 was disabled to comply with a US export-control directive barring foreign nationals. As always, this hits defenders hardest; some lessons from history and my take on it.
-
My bet for human work: distributed allocation
After automation, the so-called 'human residue' will no longer be management, but rather deciding, at the task level, where to point agent spend.