247: Trust Me Bro - LLM Security
Thu Feb 05 2026
Adam built a Claude Code skill for his Taffy REST framework and wanted to share it with the CFML community. Simple enough—create a GitHub repo, add some markdown files, done. But somewhere between "this is cool" and "anyone can install this," a familiar chill crept in. These skills are just text files. No checksums. No digital signatures. No verification that the thing you're installing won't quietly exfiltrate your code to some server in Eastern Europe. Sound familiar? It should. We've been here before—back when passwords lived in plain text and "security" meant hoping nobody looked too hard.
The hosts dig into the unsettling parallels between today's LLM plugin ecosystem and the wild west of early internet security.
LinksAdam's Dotfiles Blog Post - Getting his shit together with dotfiles, Brewfile, and 1Password SSH agentCF Community LLM Marketplace - Adam's community marketplace for CFML-related Claude skillsSteve Yegge's Google Platforms Rant - The infamous accidentally-public Google+ postVibe Coding by Gene Kim & Steve Yegge - The audiobook Ben's been enjoyingSocket.dev - Supply chain security for npm dependenciesFollow the show and be sure to join the discussion on Discord! Our website is workingcode.dev and we're @workingcode.dev on Bluesky. New episodes drop weekly on Thursday.
And, if you're feeling the love, support us on Patreon.
With audio editing and engineering by ZCross Media.
Full show notes and transcript here.
More
Adam built a Claude Code skill for his Taffy REST framework and wanted to share it with the CFML community. Simple enough—create a GitHub repo, add some markdown files, done. But somewhere between "this is cool" and "anyone can install this," a familiar chill crept in. These skills are just text files. No checksums. No digital signatures. No verification that the thing you're installing won't quietly exfiltrate your code to some server in Eastern Europe. Sound familiar? It should. We've been here before—back when passwords lived in plain text and "security" meant hoping nobody looked too hard. The hosts dig into the unsettling parallels between today's LLM plugin ecosystem and the wild west of early internet security. LinksAdam's Dotfiles Blog Post - Getting his shit together with dotfiles, Brewfile, and 1Password SSH agentCF Community LLM Marketplace - Adam's community marketplace for CFML-related Claude skillsSteve Yegge's Google Platforms Rant - The infamous accidentally-public Google+ postVibe Coding by Gene Kim & Steve Yegge - The audiobook Ben's been enjoyingSocket.dev - Supply chain security for npm dependenciesFollow the show and be sure to join the discussion on Discord! Our website is workingcode.dev and we're @workingcode.dev on Bluesky. New episodes drop weekly on Thursday. And, if you're feeling the love, support us on Patreon. With audio editing and engineering by ZCross Media. Full show notes and transcript here.