Adam built a Claude Code skill for his Taffy REST framework and wanted to share it with the CFML community. Simple enough—create a GitHub repo, add some markdown files, done. But somewhere between "this is cool" and "anyone can install this," a familiar chill crept in. These skills are just text files. No checksums. No digital signatures. No verification that the thing you're installing won't quietly exfiltrate your code to some server in Eastern Europe. Sound familiar? It should. We've been here before—back when passwords lived in plain text and "security" meant hoping nobody looked too hard.

The hosts dig into the unsettling parallels between today's LLM plugin ecosystem and the wild west of early internet security.

• Adam's Dotfiles Blog Post - Getting his shit together with dotfiles, Brewfile, and 1Password SSH agent
• CF Community LLM Marketplace - Adam's community marketplace for CFML-related Claude skills
• Steve Yegge's Google Platforms Rant - The infamous accidentally-public Google+ post
• Vibe Coding by Gene Kim & Steve Yegge - The audiobook Ben's been enjoying
• Socket.dev - Supply chain security for npm dependencies

Follow the show and be sure to join the discussion on Discord! Our website is workingcode.dev and we're @workingcode.dev on Bluesky. New episodes drop weekly on Thursday.

And, if you're feeling the love, support us on Patreon.

With audio editing and engineering by ZCross Media.

Full show notes and transcript here.