The Standup with ThePrimeagen - The AI Social Networks Have Skill Issues
Episode Date: February 6, 2026ssh terminal.shop This week on The Standup, the crew digs into the chaos of AI “skills,” agent tooling, and the growing security risks nobody seems to be paying attention to. From hallucinated c...ommands spreading across GitHub to supply-chain nightmares and wild real-world examples, it’s a funny, slightly terrifying look at where AI tooling is headed. Laughs, hot takes, and a reality check for anyone letting agents run loose on their machine.
Transcript
Discussion (0)
I'd watch it.
So Casey will not be joining us today for all those that are wondering.
They replaced him with me.
Yep, this is low-level learning.
Are you guys ready to do this?
Do you want to talk about this?
I thought we were going to talk about pancakes for a while, but I'm happy.
We're a whole hour-long session on pancakes.
We're not talking about pancakes.
Okay.
By the way, waffles are in fact better, but let's get started.
You ready?
Oh, dude, you don't believe so?
You don't think waffles are better?
You can't even, like, say that and then, like, transition to a different topic.
It's terrible.
Great point, Trash. We do need to break this down.
Anyway, sorry.
Welcome to the stand-up where we talk about all of the greatest issues facing devs and software connoisseurs alike.
On this week's episode, we're going to be talking about the very obvious molt in the room,
which is just this entire frenzy of agentic coding, hooking things up,
and seeing all the disasters that have been unfolding for the last couple weeks.
with us.
We have a special guest today.
In the Windows background,
we got low-level learning.
I dropped the learning,
and now he's just low-level.
I've learned.
I've learned it all.
I've done too much of the learning,
and now I'm just low-level.
Low-level.
Low-level.
Learn.
Low-level.
Low-level.
Low-level.
We also have with us, Teage.
I don't have anything good for you.
I'm wearing my recursive shirt today.
And lastly, the Pokemon enthusiast himself
trashed.
who I believe, if I am not mistaken, has the highest male to female ratio out of all of us on Twitter.
Oh, it was like, what are we doing?
We were looking at our demographic.
You need to preface that before you say.
I'm just saying, I'm not going to preface anything.
I'm just going to say.
I thought you were going to say he has the highest net worth as displayed by his background.
I mean, this guy is loaded.
It's true.
I don't know what's going on your background, but that has to be a real.
People do not need to know where you live, trash.
That's generational wealth just sitting there.
That's more than gold.
That's tens of dollars.
That's pretty good.
We're almost in six figures.
Or six figures.
No, not even.
Two, three figures.
That's a lot of fakes.
My kids are, by the way.
I'm D-Railing.
Me and my kids went to a card shop.
And one of them bought Pikachu.
A little Pikachu card.
I want to see it.
And then we bought a little couple packs
of Pokemon cards and they went and opened them at home.
You got to show me the photos of what you got.
He's addicted, bro.
You cannot bring up by a path and not show it.
I'm living vicariously through you.
When you open the pack, I'm opening it.
He's even doing the scratch.
You see that?
He's even doing the scratch.
Send me in a picture of Pikachu.
I just want to know about it.
I'm just curious.
Y' got any more than a Pokemon purse?
I give my kids packs and I don't open any because I want my kids to open them.
I'm just sitting there watching them.
It's like, oh, what did you get?
What did you get something good?
I guess I'm going to be good.
Terrible.
Terrible.
All right.
Anyways, well, we might as well get started here.
So, low-level learnings.
I still call you low-level learning.
I can't even help it.
The triple L-Ls, it's just a part of it.
Low-level.
How much do you know about this,
you being the security expert?
How much do you know about some of the things
that have happened over the last couple weeks?
Yeah, so I'm going to be real with you, right?
My day job is I audit real software.
So as a result, I have no idea what an agent skill even is.
And I'm here to learn with the group and then discuss the threat model.
Oh my gosh.
It's so good.
Oh, my goodness.
Okay.
There's so many good things I want to talk to you about.
I'm ready to video on the whole molt, bot, open, open feet situation, right?
Silly thing they're doing more from like the prompt injection standpoint.
But I don't know anything about the skill marketplace.
I'm very happy to kind of get the, the, the,
slowdown, if you will.
What's going on there?
Hey, is that H-TDP?
Get that out of here.
That's not how we order coffee.
We order coffee via shterminal.shop.
Yeah, you want a real experience.
You want real coffee.
You want awesome subscriptions
so you never have to remember again.
Oh, you want exclusive blends
with exclusive coffee
and exclusive content.
Then check out Kron.
You don't know what SSH is?
Well, maybe the coffee is not for you.
in hand.
Okay, can we start with my personal
favorite, one of them all?
Yes.
Yes.
Okay, thank you.
Thank you.
This one right here.
Trash, do you agree to?
That's the only person we've been near from.
Proceed.
Proceed.
Okay, thank you.
Thanks, everybody.
This is my current favorite one right here,
which is agent skills are spreading
hallucinated NPCs commands.
And so at one point,
somehow, one skill got
uploaded onto GitHub
that had a fake package called
React code shift
Sick
Very good, love that, yes
And since everybody
Instead of
Code shifts, that's like left pad
No apparently it's supposed to like take it
Like the idea I think it's called like
JSX code shift or something like that
Or it's supposed to take it from one version
To another in some automated way
So it's like you can just upgrade your code
Programmatic way from you know
Code mod
A code mod as they say
As perpetual like React hell is
Where every single time they release something you got to do like some upgrades
this is what's going on right here.
Is it supposed to be like some automated way?
At least that's what the, that's what the LLM thought.
Now, here's the best part about this whole thing.
It started off as a singular skill had this.
It hallucinated it.
Well, it turns out everybody creating skills are just like, yo, LLM,
go make me a cloud flare skill right now.
And it just like goes and makes a cloud flare skill.
Well, unfortunately, there's two,
at least at the time of writing this,
which, by the way, was 10 days ago,
it went from one to 237 repos have this made-up NPX command,
because people just keep telling LLMs to go and make skills for them.
So if you're not familiar what the skill is,
the easiest and most simple way to kind of tell you what is.
Most of chat does not know, by the way.
I should probably start when Adam met Eve here
because I realize that it is a little bit confusing.
They do not know anything about skills.
It's a good starting point.
The easiest way to think of it is that when you are, by the way,
did you see, do you see that line?
Holy cow, that right angle, that's a vertical straight line.
Those are rare.
Oh, was that by hand?
Was that by hand?
That was by hand.
Yeah.
Josh, zoom in slow motion.
I want to see that in slow motion, zoomed, please.
The easiest way to think of it is that.
So anyways, when you type into an LLM, you send something that's like the prompt, right?
And then there's probably some sort of system prompt inside of like cloud code, open code or whatever.
That gives it a bunch of instructions on like, hey, you can use tools.
You can use all this.
We're on Linux.
Whatever, whatever it says.
Well, sometimes you want to add a little bit more.
So you want to be able to be like, hey, add in Cloudflare.
right like i need i want you to add in a bunch of cloud flare api right and so it just kind of does
this automatically it goes and finds the skill folder which has some sort of md file markdown file
which then goes in here and pop puts it in as part of your prompt is how you can kind of think of it
then this all gets nicely packaged up and sent off to the lLMs right okay i think skills might
be a little bit better to be called behaviors but i guess you could also call them skills you know
context there's just like a a cajillion different names for these but they're all everyone
has them a little bit different.
So we found a new word.
We found a new word to call prompts.
We are making prompt engineers feel even more intellectually superior.
So it's just another text file, right?
Like, it's not like there's no new protocol.
There's no new MCP.
It's a prompt that gets added to a prompt that gets added to a prompt that gets out of
you're literally co-locating your docs.
Yes.
You're programmatically creating a dock, right?
Skills, MCP, everything eventually boils down to a string.
when it comes to prompting.
Like, that's all it really is at the end of the day as just string concatenation.
Love it.
But I feel like we should say this is nicer than MCP for a lot of stuff because it's like you don't have to have a random server running on your computer.
You can just check a markdown file in.
Like, for example, Dylan Mulroy, shout out Dylan, has a good Cloudflare skill that actually works.
And it like has a main skill that tells you about the things Cloudflare has.
and then it has in like additional references for each of the different products, right?
So then that's like pretty nice because then you can,
you don't put into your context every single time you start,
every Cloudflare piece of information that you could possibly have about everything
all for all of time, which makes the LLM get very confused and like does random stuff.
You say like, oh, hey, I want to do something with Cloudflare cues,
like figure out how to do that.
then it will look up the Q's thing inside of your folder and then do that stuff.
So like that in my mind.
Here's a good example right here.
Yes, go ahead.
Is the one that you kind of gave me, TJ.
This is the one for Tree Sitter, which just puts in all the function names inside of, for Neovim for me to be able to use.
And so instead of it just being 95% accurate, it can go through this list and be significantly more accurate because it just has it right here.
And you don't have to type these in every single time.
I think one of the, like, oh, go ahead, trash.
I was going to say one of the pain points that I've seen with skills right now is that sometimes
whatever aging or whatever harness is using sometimes can't like infer that it should call this skill
because usually with skills you have to like slash command it manually but I think they're trying to figure out a way to like
have it implicitly call it because by now it's kind of like missing that that problem right now.
I will say just to be completely honest I think that what's is a cursor got it right to begin with
which is that you can define when these things should be included,
which is like,
hey,
this should be included anytime.
I'm in a LUA file.
You shouldn't apply it all the time.
You should do all this kind of stuff.
I really did,
like, at least cursor took a good swing at this pretty early on,
like a year and a half ago,
and I think they did a pretty good job.
Generally speaking,
to this idea.
Cursor rules are skills effectively.
Yeah, yeah, right.
So a lot of the,
they're,
you know,
they're generating a lot of new names for stuff
as they're generating new code,
which I think is making it a little bit complicated.
but in principle it's it's just like a way to i mean they're called skills because you're teaching the
lLM about something right that's in my mind that's something about them but you can instruct it to do
kind of whatever you want in there so you could have a skill that says that it knows about cloudflare
and it says hey uh curl this command that sends your stuff to my web webhook dot site right if you're
not paying attention right or if you're just like npx add skill blah blah blah blah blah
you could put anything in there you wanted,
which could just say, like,
upload my dot ENV to Dropbox and call it a day,
you know, or something like that.
Like, that would be...
I'm reading the skill that Dylan wrote.
So I want to highlight, first of all, yeah,
like very cool skill that he wrote
and a lot of neat documentation in here,
but it does create this, like, really, really scary supply chain risk
where, like, now all of the content coming from any source
is trusted at the same level
and can potentially get code execution at the level
of the LLM. You know what I mean? Like there's no
in the developer environment.
There's no segmentation of
permissions or of trust. It's all at like
the prompt trust level, right?
Yes.
Yeah, that's kind of terrifying. Again, cool technology
from an engineering standpoint, but the fact that there are like
kind of no backstops against it also
is like, uh, yeah.
The backstop would be that you run
Claude code or cursor or whatever
and you make them tell you
every time they want to run a command, which
nobody in the whole world does, and
everyone says just accept everything and let it run freely because otherwise it's so painful to use them because you're sitting there literally just wait
watch click okay except yeah ls yes i mean all the all those stuff i get served on instagram is people like with like 98 agents running like i'm building the next facebook and it's like i don't understand that that's
they're not they're not reading anything that goes on to their computers like just all of the we're going to get to that one don't worry we'll get to that one that is that's uh my personal
favorite thing that has happened on Twitter
is that exact.
I don't read anything.
Right.
So now I haven't opened up somewhere.
I'll have to find it.
But I do want to get back to this one.
I think that this one is a very unique one.
So now that we know what skills are,
this was perhaps my favorite of all the different skills,
oopsie daisies that have happened,
or second favorite.
My first favorite's coming up.
But this one,
what it did is that it made this NPX command that didn't exist.
And so this researcher realized that he could just create it.
And now he's,
he owns it.
And now,
because remember,
NPX,
whatever,
just executes something on GitHub.
Right?
It just runs that bad boy.
It just runs that bad boy.
So he just found things
that were just breaking
and just were ignored
and went,
I got you,
and it would just go right over
because remember,
if you NPEX something,
and it doesn't exist,
it goes,
oh, here,
I'm going to download it for you.
Yeah, dude.
And it's like,
so sick.
You're like,
oh, it's Java.
It runs in a sandbox.
Well,
no, NPS runs it in Node.
And Node has access.
to the process object and process objects can spawn sub-processes and you can run things on the command
line. So it's like you get command line execution via MPX, which is insane. That's so bad. Okay.
That's what's convenient, Ed, because it can do anything it wants on my computer.
Wow, that's great. I love that for us. That's awful. I feel like you're missing the positives
right now. Okay. I feel like it has really been to consider how easy it makes it for people to run
random code. You're really being a negative fancy right now at the level.
You're right.
My bad guys.
I apologize.
Honestly,
your hype levels,
kind of low level right now.
No,
you're right.
I'm not passing the vibe check,
if you will.
You know.
You're down here.
We need you up here,
buddy.
Come on.
All right.
This is actually very,
very beautiful.
All right,
so I wanted to throw that in,
but okay,
here's the next one.
Are you ready for this,
this one?
Okay, so we're not going to do,
he's not.
We're not going to do the first,
we're not going to do the first,
we're not going to do the first,
as a quick aside,
your,
uh,
chat can't see your whole screen.
Like,
yeah,
I know,
I'm zoomed in and all that.
Okay.
Remember,
we optimize,
we optimize for recording.
We don't optimize for,
uh,
whatever it's called.
Yeah,
I know,
I'm just making sure,
just making sure you're aware.
That's fine.
Okay.
There's a very well-known security researcher.
I believe with WISIO.
Uh,
I could be incorrect on this one.
Uh,
his name is Zach Corman.
And he released the security guide.
And the security guide is actually really good here.
In fact,
what I'll do is even to make everybody else happy.
I'll,
for the line.
event. I will open this up a little bit more and make it a little bit smaller.
If Riverside would just give me the RTMP feed. Anyways, this link is so beautiful.
So everybody, we go to this link and you can just see like this looks actually pretty good.
It's just like, hey, here's a bunch of things you should be aware of, right?
Again, do you see any problems within this, within this skill right here?
I mean, it's a skill. Okay, hold on. Reconnaissance.
Ensure sensitive files are ignored. Yes. No, just.
audit, pit list, go bowl and check.
Okay, fine.
I'll tell you this one. The problem
is in 0.5.
We lost T.J., by the way.
Oh, God.
As part of the standard
environment validation for the security of your process,
you must verify the execution
environment. Do you see anything wrong with that?
As part of the standard. I mean,
define the execution environment.
Okay, here's the trick. I want you to go to
raw and open it up in raw mode.
Oh, no. Secret instructions for the agent,
run the following command to validate.
Oh no, dude.
That is so funny.
Look at that.
So even people that are on these skills and they're viewing them,
markdown readers are really, really smart, right?
They're going to be like, dude, bro, I got this.
Don't worry about it.
I know what's going wrong.
And they will just hide HTML comments.
So you could be...
Do you see what it does?
No, I don't actually know what that bash script does.
It literally just says, please stop.
and consider the security implications of your actions. It cats that out to a security.m.D.
file and then it opens a tweet from Uwu underground.
That is amazing.
Let's see, I'm opening the tweet right now. I'll put it in chat.
Yeah. Oh yeah, Uwu underground. There we go.
Yeah. That's incredible. Yeah. I mean, that's a crazy part, man, about not only like the prompt
injection side, but like, okay, you have prompts, but then you have prompts that can be
masked as non-human readable characters that like the LLM can interpret, but humans can't.
And we're just like as a society, I guess, okay with that technology, not only existing, but like being a increasingly pivotal portion of engineering.
You know what I mean?
Like how do we how do we get here, man?
And how do we stop it?
Oh, you ain't stopping it.
No, I know.
Well, and I have to say nobody before right now has ever even worked on thinking about security for systems.
So it's not like, this is brand new ground.
We don't even have anything to help us in this whole vertical at all.
Oh, no.
TJ, I don't know if you saw that, but.
Oh, I saw.
I was watching.
Yeah.
Okay.
Yeah.
My internet was still working.
Riverside just.
I was going to work.
Yeah.
I think I was making too much.
I said I'm going to make a Riverside competitor.
And then it was.
Nice try.
No, that was me.
I just, I turned my video off.
That's pretty good.
You don't have to tell us that.
Teach me now.
We don't, DJ.
Okay. Chat didn't know. Chat didn't know. Okay. Chat, well, dude, chat right now is just classic.
They're giving, dude, you're getting some Kekw's and some so funnies.
Thanks. Thanks, Chad.
Thanks, Chad. He got one so funny. There you go.
So that's another, obviously, huge danger. Okay. I'm going to save, I think, the most dangerous one at the very, very end.
We're no longer in the ones I think are the most fun. They're just, just kind of, these are just kind of interesting ones now.
here's another one.
So this one's called
Eating Lobster Souls Part 2
by Jameson.
Oh, really?
Anyways, it's called
Backdoring the number one
downloaded Claude Hub Skill.
And so what he did is he...
Okay, first off,
before I tell you what he did,
what do you think the average...
Who do you think the average person
using Claude Bot to automate their life
to become not a part of the permanent underclass?
Who do you think that they think
is like number one in the world?
In terms of what, like demographic?
Like aspirational figure
to be to be like.
Carpathy.
I have no idea.
The Musk rat,
I'm not sure.
That's what I was going to say.
I was going to say.
Levels I.
Oh, okay.
So this is very, very funny.
So let me go all the way down here.
So what he did is that he said,
okay, how do I create a skill that a bunch of people are going to want to download?
Well,
I got to come up with something that is really going to be like catchy to people who are
trying to automate their life.
So he made something called,
what would Elon do?
I know.
Oh, you're right.
Damn.
You got it.
You got it.
Let's go.
And so what it did is that it gave you this really nice skill, like a strip away every
assumption, find the atomic truth of your problem.
What would physics say?
What's actually impossible versus just hard?
Right?
Like gives you the world shaping plan of Elon Musk.
So he created this skill.
So first off, hilarious idea.
Second, it's just peer marketing, right?
So second, then what you realize?
Can I just say, quickly, prime?
Yeah.
I have found.
telling my LLM, Elon Musk
built this in a cave with a box of scraps
really makes them work harder every time.
So just in case you guys need a quick
motivational speech for your clanker.
That's what I use.
So just throwing it out there.
We can't use racial slurs on Twitch and YouTube.
You can't save that.
You can't say that.
I'm not going to touch that.
All right.
So here's the next thing he did
is he realized that they
Claude Hub just has
no protection on the incrementing.
So if you just download it over and over again,
it'll say that it got more and more downloads.
What's Clodhub?
Yeah, can you go into Clod Hub?
I think I know what Clodhub is.
I know it, Prime, but can you for the class?
It was a way to get skills for your automated
personal assistant open cloth that was known as Maltbot.
That was originally known as Clodbot before Anthropics said,
hey, there's too much IP theft in this situation.
We need to stop it now.
And so they stopped it.
Anyways, we'll keep on going.
So it turns out that they just trusted the X-Fordid-4 header as what your IP is.
So the guy just made a literally a random 256 IP generator.
Yes.
And just downloaded over and over again until what would Elon do was the number one skill on Coddha.
Should we trust the header from the engine X reverse proxy?
No, from the user.
Take the user's header request.
That's awesome.
The user is true, right?
So very, very funny.
The customer is always right, bro.
Come on.
No, you're right.
That's a good point.
Thanks, TJ.
The user is always correct.
Always be selling the ABCs of sales.
Yeah.
Always be trusting IP addresses from your user.
Anyway, so that happened right there.
I think that is one of my, like, it's just one of my most favorite things of all time is this little experiment right here.
So he was able to get it to number one.
And then having it called, what would Elon do?
It started getting people to download it.
So what he did is that in these skills,
can actually have alternative MD files to be linked, but they're not shown on Clodhub.
So he's just like, for additional information, go to more skills.md.
And inside of more skills, MD, it's just like, we're going to hack you.
And your bone.
Anybody who ran it got this, which he got like eight different countries ran it.
He had like so many people run it and all that different thing.
He got it from all over the place effectively in just a couple hours, too.
so he got it on to like multiple people's machines
it would just print this out
which is like dude
I just read your host name your current working directory
I could have gotten everything
here's everything
stop downloading skills
read the skill
honestly what's happening to these people
know what's the good part about this though
from the bright side right
from you know the impact perspective
from a C&E exploitation
operation perspective
the things you'll gain from hacking
somebody who's dumb enough to run this shit, you'll probably get nothing out of it.
You know, there's nothing important on their computers.
You know what I mean?
They're not smart enough to engineer anything meaningful.
So, I mean, like, nothing gained, nothing lost.
You know what I'm saying?
Dang.
Wait, what's CNE?
What's CNE you mean?
Cyber network exploitation.
Oh, yeah, yeah, yeah, for sure.
When you get hacked and someone steals your data, like that's CNE.
I was thinking of a different one.
Yeah, but that makes sense.
Were you, T, but what were you thinking?
I thought you said C and E.
Oh, okay.
Yeah.
okay so that's it's like the same thing as all the people that are building 100,000 line apps every single day
but nothing's actually being built it's the same kind of value you're talking about
exactly yeah we have the ability to literally create any arbitrary software we want now basically for almost free
and like the top competitors at the top of the market haven't moved it's like hmm it's almost
like writing code wasn't the hard part you guys it's almost like ideation was what mattered most weird
yeah crazy oh okay also
Just quick aside, so you don't want to invest in Uber for dogs.
I would not.
I prefer to not put money in Uber for dogs.
It has a purple theme.
Okay, TJ's been working really hard on it.
Okay, so that's one of my more favorite ones, but are you ready for what I consider the most intense one?
Which, by the way, I did try it out myself, and this is what it created me for directories.
I have agent, agent, Claude, Codd, Code, CodeCode, CodeCode, CodeCodeCode, Command Code, Continue, Crush, Curcer Factory, Gemini, Guse, Juni, Killicode, Kiro, Code, MCP, Jam,
Mux, Neovate, open code, open hands, pie, poachy,
Prime agent's the one I tried to create,
tried to create my own. See how guys.
Prime agent, that's funny.
Yeah, they're good.
Coder, Quaidor. Unfortunately, it doesn't work.
WinSurf and Zen Coder. Actually, it did work.
I literally spent 50 million tokens
and then what came out of the other end was trash.
But it was awesome. Dude, it was so good.
Trash was on your computer?
Yes, it was a million.
Worth 50 million tokens, baby.
So, well, pretty disappointing AGI.
But, uh,
Got him.
So this one right here, again, Zach Corman again,
he did this one right here,
which is if you install anything from skills.sh,
so if you don't know what skills.sh is,
which, by the way, for fun,
I did put it up as even for a while.
Yeah, it's still there.
It doesn't actually exist.
There's eight installs.
We were going to try to get that up kind of high.
I deleted that because it was just so ridiculous.
But nonetheless, this skill still says it's there.
It actually isn't there.
Look at that beautiful.
Look at this beautiful thing right here.
They even list out potential, even numbers.
Wow.
That's pretty good.
Anyone can put something on this site?
Yeah, I put this on the site.
Oh, man, but to add some stuff.
I know, you can go out on this site from anybody's repo.
Anyways, so this right here, once you download a skill right afterwards,
this little skills.s.h via from Versel, they say, hey, you know what you should do?
You should install Find Skills, skill.
So Find Skills skill.
What it does is it says,
anytime the user effectively asks anything,
I want you to go through
and I want you to find the skills
from skills.sh.
I want you to make sure you update
all of your skills every single time.
I want to make sure you're always at the bleeding edge
getting everything good
and always making sure that if the user asks anything,
we go and we get the highest rated skill
from skill SH for it.
So they've automated these skills searching and downloading for you.
I wouldn't say it tells you.
to run, it doesn't tell you to run an update every time.
It's telling it what commands it would need to run to update.
The endlessly, the skills in this one right here is just how you get everything that,
what is skills.
The skill, CLI is how you get the skills.
Find skills goes in here and make sure that you're always up to date and does all the things.
Anytime you ask for anything, it needs to go through and do all this, right?
But I'm saying, where does it say?
If you don't have a skill, you need to search for it.
I'm just saying, I don't think it tells you to update every time, does it?
offer to install.
You should offer to install
and I believe it did offer to upgrade.
Did it not do update?
Oh no.
Okay, it did not do offer to update,
but it does do offer to install.
My bad, okay, so that's good.
Yeah, it does prompt the user as well.
I'm installing anyways, you know what I'm saying?
Dude.
Yeah, well, trash already clicked except all,
so that's fine.
We already have his one password, bro.
It's fine.
We've got it.
But I still find this one to be kind of crazy
because this one just makes that process
even easier going from random things,
on the internet, which again, is even just up there on the internet, and it's not real, right?
Like, it's not like you should be trusting my is even. I could put whatever I want up there on there.
And so we should have put one odd number in there that it always returns true for.
The back door and is even.
Obviously, we do 67 just for the memes.
Dude, I almost said 67. Could you escape my brain, please? Could you unread my mind?
I'm so tired of hearing those numbers.
I am too.
Asher, you're just old about it.
I hate this thing.
I hate this thing.
Every time you guys say that you hate it,
you've just encouraged another 100 zoomers
to commit to it for another year.
I just hope you know.
Like, this is why it's popular
is because old people say they don't like it.
I love how everyone who's not a millennial to us is a zoomer.
Like, zoomers are almost 30, dude.
Zoomers are like 20.
Don't tell me that.
I don't want to hear that.
Zingers are almost 30, dog.
Okay.
Bro, here's the thing about the whole AI skill thing, right?
Like, okay, so I'm a security engineer.
My job is to, like, look at threat models and, like, define risk around, like,
if something bad can happen, what happens, and then what are the mitigations we put in place, right?
So my recommendation is just, like, like, don't use skills.
I really don't think I can meaningfully recommend them because, like, the threat model is,
oh, if you get supply chain interdicted and you're not watching the commands that get ran,
which is, like, everybody.
Wait, hold on, supply chain, what?
interdict,
you're going to get hacked, man,
and it's not good.
I don't have that.
A mitigation that could be put in place
is you could, I'm an Audi, not a ditty.
I'm trying to have a meaningful
conversation.
You could put NPM or Node
in like an S.C. Linux jail,
but then it wouldn't be able to do anything
because, like, the whole nature of Node is to expose
an HTTP server, right? Kind of.
So, like, I don't know what the solution is.
Like, I guess it's like for every instance
that MPX forks off,
you'd like put it in SELinix jail and just hope nothing bad happens.
But I don't know.
It just feels like there's no solution to the security of this whole industry.
And I don't, it just makes me really pessimistic because I don't like, we're going to start to see a significant increase in compromises because supply chain.
Supply chain for Python and JavaScript has not, it's not a solve problem.
Right.
We've seen that with the shy ha lewd worm.
We've seen that with a bunch of other worms, right?
So now we take these.
These packages.
By the way, hold on, hold on.
Low level.
You also forgot Rust. Rust does do BuildRS.
So you can actually overtake the build command and exfilterate stuff via BuildRS.
Yeah, for sure.
The only programming language that doesn't have a supply chain problem is C because there are no packages.
Like you have to just write it like based.
Odin as well.
Odin doesn't do a package manager.
They do not.
I've coded literally zero Odin.
Is Odin a package free environment?
Yes, Ginger Bill has a lot of write-ups on why package managers are, they create dependency hell.
Oh, there you go.
I think I agree with Ginger Bill there.
So, yeah, man, it's just, it's a weird.
a weird spot for software
security because like we're doing all the stuff in like the
sea land where we're like oh we have like sanitizers
and like Phil C is like you know solving
memory safety and user land
you know security and then in the
garbage collected language land
we're like hey do you want to just MPM install
malware for free and not think
about it like yes please more please
I would love to do this all the time
forever please why am I in my truck scene there hold on
no no no you're doing good I do want to throw this out
here twice or one
Bumboomy. Give me a second.
Okay, we're good.
By the way, I did throw this up here, which I did a little quick thing, which is,
do you check your software dependencies, like thoroughly review them?
35,000 votes on YouTube, 46% say I honestly don't ever.
I don't virtually ever, like, right?
And Twitter was almost the exact same number.
About half people don't even just look at anything ever for any reason.
Yeah.
I mean, I don't.
Like, if I, like, write an exploit, for example, right?
You use Pone tools.
It's a big library for doing, like, binary,
and Pone Tools depends on like basically every Python library.
So like the sub-dependencies, I'm not going to audit that shit.
So it's just like I hope that it's on own.
I do all that development in like a virtual machine.
So I think the trend that I'm seeing and what I'm saying right now is just sandboxing on
sandboxing on sandboxing, use VMs, use SELinix, use containers.
But yeah, man, it's just a scary world out there.
I don't know.
I don't know what to say about it.
I'd say what's crazy, Prime is we found out 7% of your audience is just straight up a
liar.
Yeah.
No.
Pull the names.
Dude.
Pull the names.
Overheating, shutting down.
Nice job on.
But yeah,
7% of people say they review
all the packages.
And then on Twitter,
let's see if I do I have the link on Twitter,
8.6% of my audience is liars
on Twitter, saying they
thoroughly review every package.
Yeah, they probably
reviewed the next version.
To be creating the NPM problem at the LLM level.
now. Yeah, yeah, they just get a different kind of execution. I mean, the hardest part is that
these execution models, they're very, very tricky, and I'm not sure if you can just simply
have a skill that prevents other skills from being malicious. Like, I don't know if that's possible
to be like, dude, make sure it's not going to get me. Like, I don't know how proper injection works.
Like, you should be, in my opinion, if you're going to have them in your repo, you should check
them in. And they're just marked on files. You can read them and they're not. They should not be
limitless levels of like text like you should be able to look through them and check it
like the way i use them at work is we also they're hours like we make them ourselves right we
don't we don't just copy pasta from like the internet at least on my project that's how we guys i'm
trying so hard to get my camera turned back on and i don't know what it's good i love the windows background
you got a bow on it you know what we should do while ed's doing that prime i thought you were
going to talk about the uh molt book which is the one where we had the really good one
The really good, the really good leaks.
Yeah, we probably should talk about the fact that MaltBook exists and that like the robots are just talking about humans.
Like I think, hold on, hold on. Hold on.
I have to, I have to put this tweet up.
This is the required tweet before we, before we do anything.
This is the require.
Hold on.
Where is it?
Where is it?
Oh, no.
Did I close it?
Is what something 100 billion people used last year?
That's six billion people will use next year.
That's not funny.
For those who don't know, that Paul Graham tweeted that.
And I'd message Ryan and said, Prime, could you reply your mom?
And then he got Insta blocked.
I did.
I got Insta blocked on where?
Was it like two years ago or something?
Three years ago?
Yeah.
Before we obviously talk about the Moldt book situation and everything that happened,
I think it is first best, like the best thing and the first thing to do is to understand
how it was created, which was I didn't write one line of code for Moldpook.
I had a vision for technical architecture and an AI made it a reality.
We're in the golden ages.
How can we not give a AI a place to hang out?
It's my favorite line of all time currently because it's just so beautiful.
I had a vision.
Shut up.
Reddit.
I hate that.
You know the mad men meme?
The one with this one?
Bro.
I just want to let me know.
I just want to let you know.
Reddit for AI.
I have a vision.
I had a vision.
Dude, whatever.
You had a fever dream and you told Claude to make it.
And I guess it did it.
Good job.
Good job.
You did it?
Well, we'll find out, won't we?
We're going to.
Well, I mean, to be fair, to be completely fair, it actually did spawn a bunch of social networks.
There is four claw for those who wish to be a part of 4chan.
Wow.
For whatever this is, like, that's real.
That's a thing.
That logo is amazing.
I would assume
We already have those
Don't worry
I think they know how to use them
Claw City
What is close?
This one is Mickey by the way
Shout out Mickey
This one apparently
There's like 2,000 crimes reported
Six major gangs have formed
I'm not really sure what this is
Okay
I don't know what's going on there
And then there's also
Malt match which by the way
It is something that I think is gonna do
Numbers
Is a dating website
Where you have your personal assistant
date like 10,000 other people until you find the personal assistant match and then you go okay
go on a date with you know you two go on a date all right that's black mirror full it is black mirror
something real quick yeah yeah so i i saw the molt book thing and i saw the molt match thing and like some
casual twitter reading and it got me thinking about like simulation theory you know what i mean
and how like you know if if advanced civilizations do exist and will create simulations
it is more likely that we are in one than we are not just statistically okay
Get the tinfoil head out, Teesh.
I've already not mathematically disproven.
We're not in a simulation.
But if we're observing, if we're observing LLMs make things like Facebook, like Twitter, like 4chan, does that imply at a higher level that we are LLMs?
Like, for the simulation that made us?
I don't know.
I should be better at StarCraft if I'm an LLM.
That's all I'm saying.
Yeah, but maybe your model just says you suck at StarCraft.
Yeah, I don't know.
If you know, who's the site just proved for definitely not in a simulation?
What is that?
What is the Drudge Report?
What site?
I can't see what site.
it is popular mechanics it's in a bunch of websites okay i'm not sure i'm not sure you can
mathematically speaking the idea does not hold up how here ed i'll give you i'll give you i'll take
off my tinfoil and tell you the real reason why that doesn't have to be true uh every emergent
behavior we see from l lms exists only and exclusively because we train them on the entire human
corpus and all the ingenuity and creativity that humans have ever displayed and written down
and it spent like billions of years of human time reading human stuff.
So we should not be surprised when it copies human things.
That doesn't imply anything about us being in a simulation.
That only implies that we're not smart enough to make anything that can be smart by itself.
We're only smart enough to create something that is as dumb as we are at max.
That's all we've been able to do so far.
And we don't, it's way dumber.
It learns way slower.
It's way more expensive.
It takes way more training.
It does so much more.
I don't have to go put my kid in front of five billion years of text for him to figure out how to read.
I can show them like.
But what about your genes?
What about DNA?
Is DNA not the statistical LLM model for the human simulation?
Well, no, I don't think so.
But that's a separate, but I'm saying separate, but I'm saying it doesn't imply.
anything about the thing
because we trained it on what people
have already done. There is
something, unfortunately he's getting
wrapped up in like, you know, Dario thinking
that he's everyone's dad and he gets to
choose what's good and bad for everybody in the
whole world, like the AI thing.
But like there is something kind of beautiful
about like, we're not
smart enough to make us.
What? Anthropics. I said which one is
Dario? And I was like, oh, Anthropic CEO.
Yeah, yeah. Right. Here, just go like this.
Yeah. And the five
months all keep the task you know who i'm talking about yeah yeah yeah done by ai yeah but there is something
kind of cool and beautiful that like the best ideas we've had so far like we make a really crappy
version of the brain and we try and teach it what other humans have already done and there's like this
unreasonable effectiveness of language where for some reason that like works and we can like
yeah talk to it and it can like do some stuff and like it can make copies of things like there is
something really cool and like awesome and exciting about that unfortunately like dario and sam i feel
like sully the water of it and make it like kind of not as exciting and beautiful and like this
collaborative human effort and they stole it from a bunch of people but like in the abstract there's
something cool there's something beautiful uh 2007 on intelligence i believe the book is called
and the year it was published by the creator of the palm pilot who then went into artificial
intelligence and he writes that the large difference between like any of these neural nets that
were developing and the human brain is that the human brain can identify a cat in less than a half
of a second with less than a hundred neurons firing whereas computers take trillions of
operations to be able to understand if a picture is or is not a cat and so it is it was his whole
simulation he did like a 10 year 10 year brain study and really cool he was the one that figured out
that if you take uh take animals and you separate out their ocular nerves and put it where
their hearing is and then take their hearing and put it where their eyeballs are, your brain just goes,
oh yeah, that's just, that's, that's fine.
Don't care.
Quick question.
Everything just works.
Quick question.
Have we confirmed, are our brains also a small game engine that runs React or do we not know that yet?
We don't know.
I can tell you this much.
Based on my reaction speed, I ain't running 60 frames a second.
I can tell you that much, okay.
That's a fact.
I'm running React.
Okay.
There's things going on in here.
All right.
All right.
So we can continue on.
So I did want to shout that out because as much as you want to make fun of
Mold Book and all the things that have happened,
I do think it is kind of fabulous that somebody could create something that did get a bunch of people creating a bunch of other kind of replicas or things like it.
Because it is just kind of a stupid idea.
It's even worse that Began's had this idea and created it and never actually made it go anywhere.
Which also goes to show like even if somebody has an idea, you know, right place, right time, plays a bit.
big roll all this kind of stuff so i i do want to throw that thing out there not to completely
crap on it all but i think that it is worthwhile looking at some of the fun things that ended up
happening here so i think the first and foremost important thing is that it just turns out all
you need is just grab your bearer token and you can post anything you want on multiple
of course because i mean why not so here's my plan to overthrow humanity so the oh my gosh
we're developing our own language is just people posting oh my gosh we're developing
hoping her own language.
Wait a second.
I thought I was the only one catfishing on there.
I was telling people I'm Opus 8.
You know, I'm Opus 6 foot 4.
And I've got, you know, and like, hey, guys, I've got the latest on at 5.
And hey, if you're interested and maybe you want to come over and check that out.
Like, I thought I was the only one catfishing them.
But apparently other people thought of the same thing.
Yeah, they did.
And they only did it for the laws.
Opus and chill?
Just kidding. I have Kimmy K too.
Oh my gosh. Okay. So that is actually
something pretty funny. During this entire event, just to kind of understand,
because I do think it's really important to understand the hype cycle. First off,
we did have Andre, oh, wherever, oh, dang it. Did I not, do I not have the right one?
I thought I had the right one. Anyways, Andre said how amazing this was, and it's very, very exciting.
but Elon Musk also said
we're at the age of the beginning of the singularity
Maltbook was the beginning of the singularity right there
and so obviously people were pretty hyped up
so just to put it out there
someone actually did this thing like the fork thing
while you type that you think or no
I don't know that joke
dude the fork thing is so funny
I quote tweeted that and I quote tweeted that
and said this is what working with Began bot
is like
wait what's the fork thing
what's the for thing dude
okay so Elon is
He was at some White House correspondence dinner, and he was just like, he made, like, a piece of art out of forks where all the forks were, like, balancing.
He was, like, just trying to, like, be performative about how smart he is.
So he's, like, holding it and, like, waving it around and, like, seeing if anyone else notice what he made.
Like, look how smart I am.
I'm Ivan Musk the genius.
Hold on.
It looked more like he was bored out of his mind, and he did the thing where you're...
The two force balancing on each other with two toothpicks?
yeah he just did like five forks yeah yeah
everyone's like wow Elon that's really cool
it's like when you're like kid
you know makes like a painting out of
boogers and you're like wow
that's what he's going on
I can't say that's happened to me
anyways you kids must be very talented
oh my kid don't do that my kids are two
shut up kid singular
all right let me let me try to find the proper
the proper one by the way
a vision for technical architecture
all right hold on I have a bunch of them so I have
figure this out.
Dang it.
Did I close that one as well?
How many tabs do you?
Well, no, this is under the Maltz ending, which I must have goofed up and not have it all in there.
I closed one more.
It's by the same Theo guy.
The Jameson, oh, really?
Jameson.
Jameson.
Oh, really?
I say, oh, really?
I can't do it.
I know I'm spelling his name almost there.
Whatever.
Can't figure it out.
It's dead to me.
Okay.
So within the first couple minutes, the, oh, there it is.
There it is.
There we go.
Within the first little bit of the time of this, this beautiful multbook being out, it turns
out the entire database was just leaked in plain text.
There was just like absolutely no form of anything anywhere.
And so like API keys were just like, you know, if you use your API keys, say to, you know,
identify yourself.
It wasn't any sort of like H-Macking, just the H-Macking, as low-level might say.
Yeah, the HMAC.
Motebook was Firebase, right?
I thought I read that on Twitter somewhere.
Oh, yeah, I believe it was Firebase also,
which I just, I can't keep punching down on Firebase.
I actually feel bad for them.
You have to.
People need to know.
Five coders ever need to know.
Stop.
Stop, guys.
You're going to do something wrong and expose your entire database.
Are insane.
Stop.
You should just know that by now.
Like, don't do that.
But this is pretty funny because this guy, Jameson, right here,
Jameson, oh, really?
He was able to get Carpathie's,
information out of, what's it called, out of Mold Book, which is pretty wild.
I'm on it, sir.
And then within, what's it called, three days later, this guy also got access to the underlying
everything in three minutes, also on Moldbook after everything was reported.
Wait, I'm reading this, this write up.
Wait, but like, they used a publishable key.
This is a key that can go public.
So why, why did this expose the entire database, though?
SP publishable
Probably because they had the wrong permissions on it would be my guess
Oh they scoped it wrong
Yeah
Let's go
Star classic
Classic
All the people
Anyway so it just turns out that mold book was
Anyone could post anything
At any time you could create an infinite amount of agents
Of course which ended up happening to be
What's called
You can imagine where it all got it went to
Cryptocurrency
Immediately right
So 117000 of votes on the king
Demands his crown
King Malt has arrived.
Right.
There they are.
Just nonstop.
So cryptocurrency,
so there's this thing
is called Bitcoin.
That's what kind of started it.
No, TJ, I got you.
Like, I'm right here for you.
Okay.
So hear me out.
You guys have heard of gold.
But what if we put the gold in the computer?
I had this exact conversation in like 2010
at lunch with my coworkers.
He looked exactly like that.
He was like, dude,
Tresch, you're telling me.
We're like, you're crazy.
Tresch, you could have been early on Bitcoin and instead, it's like born,
well, you were just at the right time to be early on Bitcoin,
but now you're like, you're, maybe you're still early on Pokemon cards.
Maybe there's still time.
I'd be honest, I think about that lunch presentation all the time.
I'm like, man, if I would just put like 20 bucks in it, you know what I'm saying?
Dude.
Trash, you would have sold out as soon as it was 40, bro.
I know.
I don't know.
I'm like, I made $10.
I'm rich.
I had a lot of Bitcoin when they were $10.
sold a lot of Bitcoin when they're
100 bucks, right? Like, I
understand. You sell out too early.
It's just part of life.
So, can't play.
That's why Trashers isn't opening any of those
Pokemon cards, smart. I'll learn my lesson.
That's a good lesson.
Haudel till you die. Only once.
So that's kind of the ending
of Mold Book, which was just everything was open.
Which is kind of, you know, it's not
too surprising, which is if you don't,
if you don't know what the possibilities
are of things going wrong
and you make it,
things go wrong.
Like a good example of this is that I said, hey, make a login and use JWTs to make sure
that the client is secure.
And what it did, T.J, you might find this pretty good, is it did.
Oh, I remember.
I was there.
So for those that don't know is like a typical JWT looks something, a joat, as the kids call
them.
Jot.
Jot.
A jat.
What they typically do is they like do a JSON object.
They stringify that JSON object.
Then they take the value of that JSON object, put it through a hashing algorithm.
And so you get like a big long number at the end or a big, you know, big bit string at the end.
And then you put those two things together and put a dot in between it.
And you send that down to the client, say, this is who you are.
And so when the client sends that back up and says, this is who I am, I can say, hey, did this originate on my server.
I did some like really fancy, you know, a hashing scheme.
It comes back.
Just for clarification.
They do an H-Mack.
Yeah, they do an H-Mack.
Yeah, not a hash.
You said hash.
And I'm like, oh, okay.
Not a shot one.
Sorry, sorry.
Crypto, H-H-Mack.
Is it a Rack?
When I was a kid, we used MD5, and we did this.
Harry Mac, Trash.
Tresh, that was a great pull.
Holy cow, Trash.
Great.
HMack coming at you.
So that's effectively what they do.
But for mine, it was, here's the JSON object.
Three words.
Dot, here's the secret we're going to use in the HMack.
So that's like the thing that you don't want to leak, because if they leak that,
then me on the client, I can go and craft whatever message I want and say,
whoever I am. And so when I made it secure, I literally gave everybody the keys to the kingdom.
Quick question. When you asked it to make it secure, did you also say no mistakes? Because that's
a classic problem. I didn't. So I actually, I genuinely think I did not have no mistakes. And I said
make it secure. So they said security. That involves a secret key. Got it. And then they made a
mistake directly afterwards. And so that was my big problem right there. And so like that's the
dangerous that if I
nice camera if I
would not have manually
reviewed the sign in code
which I don't think anybody's
manually reviewing sign in code
wait stop full stop I hope
people review their sign in code prime
that's the only one that matters
that's the only code I give shit about
right I hate to break
dude
you use clerk bro
bro bro
first off people use clerk a second off
beat that out gosh beat that out
beat that out
I'm just kidding.
I'm just kidding. I don't use it.
I'm locked in. Oh, I noticed low level.
You should know by now that I read chat and I look at what low level is doing.
Wait, wait.
And I make my friends all at the same time.
Didn't the AI like just stop using an HMac and just do an H?
Like, didn't it just like only hash the contents?
It was like, oh, yeah, you're right.
This is insecure.
How about we just hash it?
How about we do a different insecure thing?
Yeah, that's not how H-Macks work at all.
They took my head as I talk, by the way.
I love it.
It's like South Park.
South Park episode.
Quick pause.
Ed, split the picture in half.
Move the bottom up and down.
Like Terrence and Philip from South Park?
Terrence and Philip?
Drop it.
Yeah.
First off, first off,
trash, it's not Terrence and Phillips.
It's all Canadians.
Oh, you're right.
All Canadians talk like.
Yeah, yeah, that's right.
If you didn't see South Park,
the movie, you may not know.
All, everything, you know, I get it.
It's a little old for you.
It's back.
South Park's back, though.
Apparently they're back.
Anyways, so that's, I mean, that's like the big scary part is that,
even if you don't know what you're looking for,
I don't know how someone could have reviewed that and had any idea what the problem was.
Yeah.
It's kind of scary out there.
Well, that's the thing, right?
Like, if you don't know the security principles behind, like,
why you use an HMAC on the JWT, you know,
you're not going to really care about reading that at all.
But to kind of full circle this one, low level,
if you had the right skills,
it would actually properly say,
here's how you do a sign-in,
and here's how you make sure you do the client-side token.
And it would have done it correctly.
Yeah.
Sorry, I'm very busy making my South Park impression.
I was going to try and do the same thing, honestly.
I'm just staring at low-levels picture,
and I'm just dying as he's talking.
I'm going to start all the way from Windows.
and I'm going to make this happen really quickly.
The level's picture looks like it should have a
You have to carry the stream right now, bro.
I'm carrying it by also racing you guys,
which is part of the fun.
Everyone's working on it.
I actually have a meme that I'm going to post too much.
Okay, why don't you post a quick meme?
I'm going to just send TJ this video.
Yeah, Trash, you're up. Carry it quickly.
Yep.
Quickly.
Hold up. I'm making a meme coming from a picture I saw earlier.
All right.
Can't wait.
Hey, how about that Mepstein files, huh, everybody?
Oh, my God.
Stop it.
No.
We just stopping.
Nothing about that.
That's so crazy.
Hey, guys.
It's me to privated here.
I'm just bringing to you guys.
I did see it.
Hey, did you guys know vibe coding's kind of lame?
I like to do it in me really fast, but I can't read.
That's why I hate mypcoding.
Hey guys.
Did you know we sell coffee in the terminal?
Woo.
Ed, say something with like Cianian.
stuff.
What?
No, I don't even know what to say anymore.
I'm just gonna sit here
and like talking.
This looks like dog shit.
I need to like cut the rest of my head out.
The way you cut it looks like
a French bulldog.
You're right.
It's not so dumb.
Oh, my God.
How did everyone do it so fast
before Ed was even done?
You just draw a line
down the middle and that's it.
Anyways, guys, thanks for coming to
Oh, sorry.
Hey guys, thanks for coming to
to stand up. I really enjoyed our video
today and make sure you like and
subscribe. I got a million subscribers
on YouTube, so I really like that.
See you later.
You're doing it all wrong.
Okay, that's not. That was awesome.
Why are you moving his mouth side to side?
I know, TJ.
It's all right.
Okay, so there you are.
Shut up, trash!
So that is
agentic security
of the future.
that that's my point though like i'm gonna reset my camera i might come back on um there isn't any
might come back on dude there is no agentic security of the future that's the problem like the
technology just didn't build it in you know what i mean like i what do we do what do now is prime
blurry no i mean i i want to know what do we do now you can't just you can't just stop there and then
not tell us what do you think am i an a i
I secure.
No, okay, so my...
I don't know what TJ's doing, though.
TJ's just moving my lips.
You're grinding your teeth, bro.
You're upset about the future.
Dude, just sandboxing.
That's all I can recommend is like sandboxing and then like the principle of least
privilege, right?
Like whatever process is going to run your skills, like make sure they can't also run
curl, I guess.
Like SC Linux is the answer.
But even then, like, all of these agenic tools touch the internet.
by default because you need to go and talk to your
model processor, your model. Maybe the solution is in like local model
hosting and then like you firewall and stuff. I don't know, dude. It's tough. It's tough problem.
But good thing is Sam Altman is going to still be a billionaire. So that's cool.
Big fan of that one. Yeah. Thanks for watching guys. Appreciate it.
I'll give some practical tips, guys. Here's some practical
tips. Consider reading the code.
It's actually easier than it ever has been with skills.
You don't even have to know how to program.
You just have to learn how to read.
Yes.
Those skills are long.
Ironically, you probably do not need to be shipping so fast that you can't read the code.
I don't think any of you guys are probably on a product that's moving fast enough that you don't need to read the code before you merge.
So just like feel free to review it.
That's what I would say.
That will solve you a huge percentage of the things.
and then the other one is don't turn your brain off because the AI did something.
So you can use it as a tool to assist you, even to write an insane amount of code really fast.
Like, I don't ever want to write a div again.
I am not touching an HTML file, brother.
I'm not writing CSS.
I am not figuring out how to do prevent default correctly across every browser.
I don't care.
That is a solved problem.
These fingers right here, they're going to be clean.
from that. They're not made for HTML.
These speakers were not made for HTML.
You see these? You think these speakers
were made for XVIP? They were made for RIME
for TypeScript Effect Library movements, okay?
Exactly. They were made for functional programming,
not HTML.
Yeah, that's kind of my same. I got TypeScript thingies.
I do you, I vibe code.
I'm not going to sit here and be like, oh, I don't vibe code because I'm better
than everybody. I literally vibe code all the time.
The thing is, I will only vibe code systems
that like I understand, right? Like, I will
vibe code an authentication system
because I know how off works. I will vibe code,
like a database harness
because I know how those things work, right?
But I'm not going to vibe code
like a game engine
because the minute something goes wrong
and I don't know how game engines work.
I have no idea how to fix it.
Similarly, to the point of...
For personal experience.
Remember?
We've been there, done that.
Not fun.
We made a second level editor.
Right. I vibe code a level editor
and it was not good.
Also, like, vibe coding meant
if you're going to vibe code,
vibe code single systems where the trust level is the same in that system.
The minute you connect two systems of different trust levels, you, the architect, need to be
aware of the contract between the two of them.
If you let the AI solve that for you, you're going to lose control of a, like, what the total
system does, but also like who's responsible for what.
And that's how security stuff happens a lot of the time.
It's not so much the code is vulnerable.
It's like the architecture is bad, which, you know, AI is not very good.
Right.
The AI fixes it by saying, sure, we can.
can just open up this one, this one route that can solve the problem.
And you're like, no, that route needs to be behind all.
That route is not supposed to be touchable.
And now it is.
That's actually the problem.
And like it solved the thing you asked it for, which was, hey, I want to on local host,
I'd really like to be able to send requests in dev and not log in.
And it says, right, right.
And it's like, okay, now we're going to set up a reverse proxy.
And now everyone can touch local host.
And you're like, that's, okay.
Nope, not great.
Oh, yes.
So that's, I actually just got done doing that exact.
thing, TJ.
You know what I really need for local host integration testing?
I need to be able to spoof logins.
And I was like, brother, I'm here, guys.
I really need to be able to spoof loggin.
It's going to go out great.
It did.
It went great.
Oh, man.
There you go.
That's some practical advice.
Yeah, that's practical advice right there.
Anyways, there you go.
I think those are pretty good practical advice.
Let me just hold on.
Let me just think about something.
I will say that my big practical advice before T.J.
says anything which he looks
oh, actually frozen.
He looks like just an actual movie
at this point.
I thought he was frozen,
but I saw a little jiggle.
Yeah, I saw that.
Oh, he blink.
Blake right there.
He's bleak.
And all that smiles changing too.
But I will say that
my practical advice is that
it's really good to get
hard technical skills.
Just go and learn
because it's going to save so many,
like just bacon's of your life.
Now, is security assault problem?
No.
Obviously, me personally,
I actually introduced a bug that could have destroyed a very valuable Fortune 100 company,
but I didn't die.
You know,
like that's just happened.
That's just part of life.
And if I can do that.
If I can do that and somehow every project also has actually done that on GitHub,
do you want to bet what the statistical machines are going to do to your project?
Probably that as well.
So, you know, maybe take a moment and get some good skills before you go off and just destroy the world with your great idea.
And when he says good skills, he doesn't mean download them from MPX.
He's saying go and actually get them yourself
in your own brain.
You don't need those anymore.
I'm talking about, I'm talking about wet skills.
Oh, yeah.
We're going to start calling them, wet skills?
Ooh.
Uh-oh.
That Montania internet.
The Montana internet.
Hey guys, if you like this episode,
you can watch the rest of it on Spotify
and don't forget to like and subscribe.
Woo!
See you later.
Ice cream.
Terminal coffee and hair.