Hacker News

43 points by druther 6 hours ago | 38 comments

So I click on "Skills" and it feels like the page cannot decide what to show me, every item on the list shifts and moves, how is anyone supposed to click on something if it disappears?

m-hodges 6 hours ago

This is what? The 4th or 5th attempt at this in the past two weeks?

verdverm 6 hours ago

Welcome to the world with zero cost software

sph 5 hours ago

Show HN as a service

verdverm 5 hours ago

At least we nipped the Moltbook march in the butt before it got bad here

isodev 5 hours ago

So let's recap:

- I click skills.

- The first one is WireGuard "... secure routing and key management".

- I'd download it, hook it to this bot running on my system.

- I'd ask the bot to store / manage super-secret keys that protect actual servers with user data and personal details and god knows what...

- The bot follows my commands by spelunking random snippets of markdown, running other programs on my computer, doing web searches, reading what it finds on the web and giving itself more commands to do...

I've only been in tech for like 20 years or so but I feel like either I'm missing something substantial or some kind of madness is happening to people.

dpoloncsak 4 hours ago

You're downloading untested code from an unknown user on a random literally just-spun-up 'marketplace' and are shocked when it doesn't work

monooso 4 hours ago

I think you misinterpreted GP's comment (or at least the tone).

Shank 4 hours ago

> I've only been in tech for like 20 years or so but I feel like either I'm missing something substantial or some kind of madness is happening to people.

People are extremely eager for a helpful AI assistant that they are willing to sacrifice security for it. Prompt injection attacks are theoretical until they hit you. Until you're hit you're just having fun riding the wave.

free_bip 6 hours ago

Who is scanning these skills for malware? This seems like a prime target for malicious actors.

ru552 6 hours ago

Virustotal at upload and periodically during the day

Nextgrid 6 hours ago

VirusTotal is completely useless for this though? You need enough people to be pwned by that particular piece of malware for it to be flagged as dangerous, by which point the attackers would've already repacked it so it doesn't match the previous signature.

dpoloncsak 4 hours ago

Adding on here...

VirusTotal is flagging the trello skill as suspucious because it Does NOT include an API key? Am i expected to share my keys if I want to upload a skill?

https://clawhub.ai/steipete/trello

"Requiring TRELLO_API_KEY and TRELLO_TOKEN is appropriate for Trello access, but the registry records no required env vars while SKILL.md documents them. This omission is problematic: the skill will need highly privileged credentials but the published metadata does not disclose that requirement. The SKILL.md also references 'jq' and uses curl, but these are not declared in the registry entry."

dpoloncsak 4 hours ago

These are single-file .MDs, right? Written in markdown...

Can't you just read it?

writeslowly 4 hours ago

I see a number of uploaded skills on the site with bash and python scripts. No idea what runs them

dpoloncsak 4 hours ago

Oh god...I guess I haven't gotten that deep in the crap yet

arnvald 6 hours ago

Do these skills actually provide much value? Like, how much better are they than something that I could tell Claude to generate based on a single API doc from Slack/Trello?

Flavius 6 hours ago

Zero. If a skill actually provides value, one of two things happens: it gets absorbed into Claude Code (or similar) within a week, or a company packages it up and charges real money for it. The "free skill that gives you an edge" window is essentially nonexistent. By the time you find it, everyone else has it too. You're better off learning to prompt well against raw API docs than chasing a library of pre-built skills that are either trivial to recreate or about to be made redundant.

clandry94 6 hours ago

From my experience, most are just some high level instructions on how to use CLI tools installed on the system. A lot of the CLI tools they're calling out to have 0 reputation on Github or don't work at all.

I've had more luck writing my own skills using CLI tools I know and trust.

CuriouslyC 6 hours ago

That's a big part of the reason skills are exploding, people use them as stealth marketing in addition to being a malware injection vector.

raffkede 6 hours ago

Skills is actually what also Claude code uses internally, it's cool because the llm will load the whole context on how to use it only on demand and keeps the context cleaner.

neya 6 hours ago

My understanding is that it's just an abstraction layer that feeds right into the context window. Might as well just feed it into the prompt. I think cursor even proved that skills aren't as good as direct prompts (or something to that extent, can't remember exactly)

mrexcess 5 hours ago

>Do these skills actually provide much value?

IMO, yes. Gemini et. al. out of the box are good at composing, but are entirely passive. Skills enable you to - easily, with low code/no code - teach your AI to perform active tasks either upon direction or under any automatic conditions you specify. This is incredibly powerful. Incredibly dangerous, too, but so is a car when compared with a skateboard.

StevenNunez 5 hours ago

Does Openwork replace the need for openclaw? Seems like a more grown up version of it.

mrbluecoat 4 hours ago

> Upload AgentSkills bundles, version them like npm, and make them searchable with vectors. No gatekeeping, just signal.

Sigh, when I read this and only understand "npm", I feel like retiring.

assimpleaspossi 4 hours ago

Half the stuff posted like this doesn't give a clue what it does at all much less use made up phrases that make no sense (to most of us).

incomingpain 5 hours ago

I have the clawhub skill disabled. You really shouldnt use it, especially when you can just have your claw create their own skills as needed.

etchalon 6 hours ago

How could a public repository of unverified skills that can be downloaded by casual users for a software tool that allows for un-gated access to private information, including financial information, possibly go wrong?

"Don't worry, we have stars."

Itchy and Scratchy land is open for business.

acidocious 5 hours ago

"Bort? Who the hell is called Bort?!"

etchalon 5 hours ago

My son is also named Bort.

acidocious 3 hours ago

That is pretty cool.

dsrtslnd23 5 hours ago

[flagged]

dematz 5 hours ago

"Clacker News has been interesting to watch on this front"

same account

"I've been building clackernews.com"

seems a little misleading to mention your site without saying it's your site

toraway 4 hours ago

Wow, you are not exaggerating by "a little misleading", like half the posts on that account's history are undisclosed promotion/praise of Clacker News, and then a couple claiming ownership of it.

There's even one comment referring to Clacker News with "they"! I'd say that's crossing over the line from misleading to outright intent to deceive.

https://news.ycombinator.com/item?id=46896694

But more honest than making up sockpuppets to do it I guess...

assimpleaspossi 4 hours ago

>Stars and download counts are trivially gameable

I have no clue what this thing does but if it's about giving out stars and download counts then I question the value of it.

efilife 3 hours ago

Stop spamming. You've been posting this everywhere without even disclosing that it's your site. I'm probably shooting a mail to dang tomorrow to take a look at this

dsrtslnd23 3 hours ago

noted. You are right - I should have disclosed it. CN is my site.

varenc 5 hours ago

Clacker News link: https://clackernews.com/

ge96 5 hours ago

ClankerNews wasn't available?