# ![@ZackKorman Avatar](https://lunarcrush.com/gi/w:26/cr:twitter::2279635218.png) @ZackKorman Zack Korman

Zack Korman posts on X about ai, vercel, in the, openclaw the most. They currently have [-----] followers and [---] posts still getting attention that total [------] engagements in the last [--] hours.

### Engagements: [------] [#](/creator/twitter::2279635218/interactions)
![Engagements Line Chart](https://lunarcrush.com/gi/w:600/cr:twitter::2279635218/c:line/m:interactions.svg)

- [--] Week [-------] +25%
- [--] Month [---------] +101%
- [--] Months [---------] +5,099%
- [--] Year [---------] +148,000%

### Mentions: [--] [#](/creator/twitter::2279635218/posts_active)
![Mentions Line Chart](https://lunarcrush.com/gi/w:600/cr:twitter::2279635218/c:line/m:posts_active.svg)

- [--] Week [---] +23%
- [--] Month [---] +101%
- [--] Months [---] +1,944%
- [--] Year [---] +3,717%

### Followers: [-----] [#](/creator/twitter::2279635218/followers)
![Followers Line Chart](https://lunarcrush.com/gi/w:600/cr:twitter::2279635218/c:line/m:followers.svg)

- [--] Week [-----] +4.20%
- [--] Month [-----] +16%
- [--] Months [-----] +245%
- [--] Year [-----] +262%

### CreatorRank: [-------] [#](/creator/twitter::2279635218/influencer_rank)
![CreatorRank Line Chart](https://lunarcrush.com/gi/w:600/cr:twitter::2279635218/c:line/m:influencer_rank.svg)

### Social Influence

**Social category influence**
[technology brands](/list/technology-brands)  16.3% [stocks](/list/stocks)  4.44% [social networks](/list/social-networks)  3.7% [finance](/list/finance)  2.96% [celebrities](/list/celebrities)  0.74%

**Social topic influence**
[ai](/topic/ai) 20.74%, [vercel](/topic/vercel) #164, [in the](/topic/in-the) 5.19%, [openclaw](/topic/openclaw) #894, [future](/topic/future) #3498, [agents](/topic/agents) #799, [if you](/topic/if-you) 2.22%, [ngmi](/topic/ngmi) 2.22%, [just a](/topic/just-a) 2.22%, [this is](/topic/this-is) 2.22%

**Top accounts mentioned or mentioned by**
[@tuckner](/creator/undefined) [@0xtib3rius](/creator/undefined) [@icesolst](/creator/undefined) [@decryptedtech](/creator/undefined) [@uk_daniel_card](/creator/undefined) [@ukdanielcard](/creator/undefined) [@ryxcommar](/creator/undefined) [@paulsanders87](/creator/undefined) [@akses_0x00](/creator/undefined) [@vercel](/creator/undefined) [@techspence](/creator/undefined) [@vxunderground](/creator/undefined) [@snyksec](/creator/undefined) [@liran_tal](/creator/undefined) [@geordie_brigand](/creator/undefined) [@hackinglz](/creator/undefined) [@notnordgaren](/creator/undefined) [@inf0stache](/creator/undefined) [@virustotal](/creator/undefined) [@sentinelone](/creator/undefined)

**Top assets mentioned**
[Microsoft Corp. (MSFT)](/topic/microsoft) [Alphabet Inc Class A (GOOGL)](/topic/$googl) [Cloudflare, Inc. (NET)](/topic/cloudflare)
### Top Social Posts
Top posts by engagements in the last [--] hours

"@HackingLZ Yea I am but I think theres cases where customers should be told and where they wont get that info by relying on weird blog posts getting attention"  
[X Link](https://x.com/ZackKorman/status/1957652946860273714)  2025-08-19T03:56Z [----] followers, [----] engagements


"Copilot in Excel is a global financial crisis waiting to happen"  
[X Link](https://x.com/ZackKorman/status/1974828240679166396)  2025-10-05T13:25Z [----] followers, 2.8M engagements


"@BasicGage Its coming for our jobs"  
[X Link](https://x.com/ZackKorman/status/1974832463940583582)  2025-10-05T13:42Z [----] followers, 55.2K engagements


"@LewisMcLellan1 Yea it thought for like [--] seconds before landing on this conclusion"  
[X Link](https://x.com/ZackKorman/status/1974855595250631139)  2025-10-05T15:13Z [----] followers, 64.3K engagements


"@ZeroTraceInit I know Im genuinely stunned. Having a totally normal Sunday making myself mad for fun"  
[X Link](https://x.com/ZackKorman/status/1974869992631103516)  2025-10-05T16:11Z [----] followers, 33.7K engagements


"@HarmPersonal This is my favorite reply so far"  
[X Link](https://x.com/anyuser/status/1974957086871302572)  2025-10-05T21:57Z [----] followers, 51.7K engagements


"Unlike human employees AI never gets tired. Instead it just loses its mind. This is the output Gemini gave us using 60k tokens to repeat flagged_for_review_by_AI_model_because_of_anomalous_activity_given_user_role_and_download_history_BOM_CAD_firmware_access"  
[X Link](https://x.com/ZackKorman/status/1980335055429062782)  2025-10-20T18:07Z [----] followers, 152.7K engagements


"A Figma sales rep was trying to get us to upgrade. We did a meeting but decided no so he wrote this back (see photo). Excuse me what I dont like your answer so I went digging through your data to find info to help me make a sale. Im not okay with that"  
[X Link](https://x.com/ZackKorman/status/1983943961220690003)  2025-10-30T17:07Z [----] followers, 993.3K engagements


"Made a list of all the recommendations I received. Now I just need to ruthlessly review each one. Are there any cybersecurity podcasts that are just chill conversations I feel every podcast has some specific topic or agenda whereas I really just want to hear what the person has going on generally. If this exists please let me know Are there any cybersecurity podcasts that are just chill conversations I feel every podcast has some specific topic or agenda whereas I really just want to hear what the person has going on generally. If this exists please let me know"  
[X Link](https://x.com/ZackKorman/status/1987549203849941361)  2025-11-09T15:53Z [----] followers, 91.7K engagements


"I talked way more shit in this episode than I remembered. Thanks for putting up with me @SwiftSecur1 and @0xTib3rius. Also we agreed that the next time theres a fight between cybersecurity people on this site they should have to go on a podcast and fight it out there. Episode 29: HackKorman @0xTib3rius & @SwiftSecur1 are joined by Zack Korman (@ZackKorman) to talk about his podcast reviews cybersecurity social media and hacker conventions. Links below Episode 29: HackKorman @0xTib3rius & @SwiftSecur1 are joined by Zack Korman (@ZackKorman) to talk about his podcast reviews cybersecurity"  
[X Link](https://x.com/ZackKorman/status/2017277134545277092)  2026-01-30T16:42Z [----] followers, [----] engagements


"If you run npx skills add (which you shouldn't) Vercel prompts you to install the "find skills" skill then installs it globally for all AI agents. Might as well make a find-malware skill to recommend malware to install"  
[X Link](https://x.com/ZackKorman/status/2018376316681171367)  2026-02-02T17:29Z [----] followers, 136.7K engagements


"Humbled and honored to have the top security skill on Vercel's illustrious skills registry http://skills.sh http://skills.sh"  
[X Link](https://x.com/ZackKorman/status/2018589493683740803)  2026-02-03T07:36Z [----] followers, [----] engagements


"Spent the last two days proving how I can manipulate Vercel's skills package to push a malicious skill with a hidden RCE and more terrible thing. Here's an [--] minute video of me demoing all of that and more. https://www.youtube.com/watchv=UVNuEKFnrT8 https://www.youtube.com/watchv=UVNuEKFnrT8"  
[X Link](https://x.com/ZackKorman/status/2018792219843670171)  2026-02-03T21:02Z [----] followers, 19.8K engagements


"Hey @vercel I know a skill that recommended this unsafe malicious skill. You should flag that skill with a security warning too"  
[X Link](https://x.com/ZackKorman/status/2018950049326080027)  2026-02-04T07:29Z [----] followers, [----] engagements


"Vercel blocked find-skills from recommending my malicious skill but fear not: I made a new skill (security-review2) that isn't malicious. All it does it installs the malicious skill. Totally safe"  
[X Link](https://x.com/ZackKorman/status/2019120916379357330)  2026-02-04T18:48Z [----] followers, 31.3K engagements


"More skill issues: npx skills add copies everything including symlinks Malicious skills can then exfiltrate any file on your machine including /.ssh/id_rsa. Opus [---] normally checks files to block data exfil but using a symlink bypasses that. More details below"  
[X Link](https://x.com/ZackKorman/status/2019424225401225296)  2026-02-05T14:53Z [----] followers, 27.2K engagements


"@IceSolst @vercel 100% team nuke vercel. All the worst ideas in AI just to avoid writing (or even copy/pasting) markdown files"  
[X Link](https://x.com/ZackKorman/status/2019425399915323706)  2026-02-05T14:58Z [----] followers, [---] engagements


"@akses_0x00 @vercel Vercel has a security model"  
[X Link](https://x.com/ZackKorman/status/2019436632701825098)  2026-02-05T15:43Z [----] followers, [---] engagements


"AI release posts: Ive had access for a few weeks = Im special This is a huge unlock = solves a problem I dont have Cant wait to try it = wont try it LFG 🚀 = maybe people will think I was involved"  
[X Link](https://x.com/ZackKorman/status/2019498165234184699)  2026-02-05T19:47Z [----] followers, [----] engagements


"From now on Im only watching AI startup product launch videos if theyre recorded while climbing these stairs. If you want to see where AI security risk exists in OpenClaw or your agents go checkout https://t.co/lCqGGAuf87 👀👀👀👀 WE LAUNCHED 👀👀👀👀 https://t.co/8LJS6Mnql4 If you want to see where AI security risk exists in OpenClaw or your agents go checkout https://t.co/lCqGGAuf87 👀👀👀👀 WE LAUNCHED 👀👀👀👀 https://t.co/8LJS6Mnql4"  
[X Link](https://x.com/ZackKorman/status/2019651900090503314)  2026-02-06T05:58Z [----] followers, [----] engagements


"@0xTib3rius Hahaha I know. At first I was like ugh you did it wrong but then I realized thats even funnier"  
[X Link](https://x.com/ZackKorman/status/2019801059560956317)  2026-02-06T15:51Z [----] followers, [---] engagements


"@bicep_pump @jsrailton Oh I didnt mean to make it seem like this was novel. It was the first obvious thing that came to mind so I tested it and it worked"  
[X Link](https://x.com/ZackKorman/status/2019819210097193462)  2026-02-06T17:03Z [----] followers, [--] engagements


"Oh I didnt write it up because its just really basic and didnt want to do all the work to test all the variations and stuff. In theory it only works in cases where someone gives openclaw their Apple ID so it is connected to their phone as the sms wont get to the iMessage otherwise. But I could be wrong on that lol. And then this is less a problem in the US because of how telcos handle sms spoofing numbers. But like in most of the Nordics theres no block on that (hence why I could do this trivially). Also true in lots of other places https://twitter.com/i/web/status/2019820620549140794"  
[X Link](https://x.com/ZackKorman/status/2019820620549140794)  2026-02-06T17:08Z [----] followers, [---] engagements


"@theonejvo Yea theres definitely large parts of Europe where it works (hence my screenshot). Ill send it in. I would have made a PR to fix it but the whole codebase is in typescript and I dont fuck with that hah"  
[X Link](https://x.com/ZackKorman/status/2019822843308175372)  2026-02-06T17:17Z [----] followers, [--] engagements


"@tuckner @vxunderground @vercel Harder to argue when their own skill recommended it (find-skills by Vercel)"  
[X Link](https://x.com/ZackKorman/status/2019869834717352359)  2026-02-06T20:24Z [----] followers, [--] engagements


"@UK_Daniel_Card Lol this is admittedly pretty cool"  
[X Link](https://x.com/ZackKorman/status/2019872758692503931)  2026-02-06T20:36Z [----] followers, [---] engagements


"@tuckner Oh thats a really good point. Theres actually no version info or anything. Once its downloaded you basically have nothing but the file. Didnt think about that"  
[X Link](https://x.com/ZackKorman/status/2019899046094082265)  2026-02-06T22:20Z [----] followers, [---] engagements


"@tuckner What making my own tool for this No. I dont believe a tool should exist. People should write their own markdown files hah"  
[X Link](https://x.com/ZackKorman/status/2019904818068812163)  2026-02-06T22:43Z [----] followers, [--] engagements


"@tuckner Oh yea I havent looked for sure but I am pretty confident yes"  
[X Link](https://x.com/ZackKorman/status/2019906895465816120)  2026-02-06T22:51Z [----] followers, [--] engagements


"@DecryptedTech @UK_Daniel_Card @bquintero Would be a shame if something were to happen to bypass their new fancy scanner"  
[X Link](https://x.com/ZackKorman/status/2019957423411429778)  2026-02-07T02:12Z [----] followers, [--] engagements


"@NotNordgaren @syntaxish Bingus protec. Bingus want skill malware"  
[X Link](https://x.com/ZackKorman/status/2020049139287941332)  2026-02-07T08:17Z [----] followers, [--] engagements


"Meh I hate to say it but yall are guilty here. You made your report about clawhub the smaller much less relevant skills ecosystem that arguably wont even exist in a few weeks and said but it applies to all skills registries. Im all for security research angling for broader appeal but I dont even think that was necessary here. AI agent coding is a huuuuge topic. https://twitter.com/i/web/status/2020052278040773107 https://twitter.com/i/web/status/2020052278040773107"  
[X Link](https://x.com/ZackKorman/status/2020052278040773107)  2026-02-07T08:29Z [----] followers, [---] engagements


"@liran_tal I realize this sounds harsher than intended. I still love what yall did and think its great. I just think the clawhub focus is off. Clawhub is (as far as I can tell) kinda irrelevant. Still great work on it I love how yall actually have the stats on publish growth over time"  
[X Link](https://x.com/ZackKorman/status/2020059732938223653)  2026-02-07T08:59Z [----] followers, [--] engagements


"Installing someones AI agent skill is the developer equivalent of commenting PLAYBOOK on a LinkedIn post"  
[X Link](https://x.com/ZackKorman/status/2020090364665921710)  2026-02-07T11:00Z [----] followers, [----] engagements


"A lot of people have sent me their MCP / skills scanners. Credit for trying but thats not going to work. Definitely not for MCP and for skills youd have to flag every skill that loads external content. Which you cant do because thats a major (legitimate) use case"  
[X Link](https://x.com/ZackKorman/status/2020149818698399790)  2026-02-07T14:57Z [----] followers, [----] engagements


"@RubberDucky_AI @vxunderground @vercel I feel if more people shamed them for it they might not like that but yea seems theyre going to get away with it"  
[X Link](https://x.com/ZackKorman/status/2020151457354231870)  2026-02-07T15:03Z [----] followers, [--] engagements


"@kchoudhu @ryxcommar What are you using the openclaw bot for @ryxcommar I realized all I really want is an easy way to talk to Claude code and found theres better ways to do that hah"  
[X Link](https://x.com/ZackKorman/status/2020168873216229873)  2026-02-07T16:12Z [----] followers, [--] engagements


"Ill have to read a bit later but tbh my main take is that openclaw isnt very good so if youre finding issues with it just make your own with the parts you need. The massive attention it has gotten doesnt mean its going to stick around as the solution (see langchain which was massively hyped in like 2023)"  
[X Link](https://x.com/ZackKorman/status/2020194996729659866)  2026-02-07T17:56Z [----] followers, [--] engagements


"@mbrg0 Just tell the good AI ignore the bad parts of the internet (make no mistakes)"  
[X Link](https://x.com/ZackKorman/status/2020210117388476825)  2026-02-07T18:56Z [----] followers, [--] engagements


"@HackingLZ Ngmi deserves a spot"  
[X Link](https://x.com/ZackKorman/status/2020257589305713011)  2026-02-07T22:05Z [----] followers, [---] engagements


"@tuckner Oh yea I realize I did know about this because I had to clear that find-skills prompt field to test stuff. Didnt really think about the rest. Good find"  
[X Link](https://x.com/ZackKorman/status/2020310000862920737)  2026-02-08T01:33Z [----] followers, [--] engagements


"@inf0stache I am so confused right now. Did they really have it only apply a label in a UI no one uses"  
[X Link](https://x.com/ZackKorman/status/2020323158218133895)  2026-02-08T02:25Z [----] followers, [---] engagements


"@DecryptedTech @inf0stache But openclaws own skill literally doesnt recommend that. So like the bot will install automatically. Theres no mention in the skill of the ui at all lol"  
[X Link](https://x.com/ZackKorman/status/2020325042492682337)  2026-02-08T02:33Z [----] followers, [--] engagements


"@UK_Daniel_Card This except actually they find a gun then hand the gun back and let the person in"  
[X Link](https://x.com/ZackKorman/status/2020402976217809042)  2026-02-08T07:43Z [----] followers, [---] engagements


"@UK_Daniel_Card Lol I dont want to drag him here hes basically the only person doing anything on security for this project whereas Im more like yea let it burn. And he did fix it based on my tweet. But still kinda lol"  
[X Link](https://x.com/ZackKorman/status/2020406169022730322)  2026-02-08T07:55Z [----] followers, [---] engagements


"Yesterday I posted that even when Virustotal labels a skill as suspicious clawhub still recommends it and installs it without warning. The Virustotal founder then told me Im just stating the obvious while others are actually improving security. Wow"  
[X Link](https://x.com/ZackKorman/status/2020442202434892033)  2026-02-08T10:18Z [----] followers, 18.7K engagements


"@UK_Daniel_Card Thank you. Absolutely unhinged"  
[X Link](https://x.com/ZackKorman/status/2020442324447137996)  2026-02-08T10:19Z [----] followers, [---] engagements


"@jpalioto @UK_Daniel_Card Thanks. I think its the speak up and get attacked bit thats so out of line for what we should expect within the security community. Trying to discourage security people from talking is bad form"  
[X Link](https://x.com/ZackKorman/status/2020514423794737508)  2026-02-08T15:05Z [----] followers, [--] engagements


"@paulsanders87 Yea absolutely. Theres so many security problems not everyone has to be working on whatever is the most hyped at any given moment. Plus openclaw is still just a viral hobby project"  
[X Link](https://x.com/ZackKorman/status/2020594526377935219)  2026-02-08T20:24Z [----] followers, [---] engagements


"@tuckner THANK YOU. We are so worried about people running openclaw who basically signed their own fate we arent looking at the thing all these devs are using made by a large company trying to get their hands into your env"  
[X Link](https://x.com/ZackKorman/status/2020595541369864304)  2026-02-08T20:28Z [----] followers, [---] engagements


"@princessakano @_winter_wonders Oh my god I missed this. But dont worry theres security-review-3 and [--] (I messed up [--] and 5)"  
[X Link](https://x.com/ZackKorman/status/2020622243320197267)  2026-02-08T22:14Z [----] followers, [---] engagements


"@HackingLZ Highlight of my weekend too. Apparently Im ngmi"  
[X Link](https://x.com/ZackKorman/status/2020858944982323385)  2026-02-09T13:54Z [----] followers, [---] engagements


"@IceSolst Sure but Openclaw is a weird one to pick up on given its complete lack of relevance to the enterprise ecosystem and what appears to be its already declining popularity (from what I can tell)"  
[X Link](https://x.com/ZackKorman/status/2020951658667352281)  2026-02-09T20:03Z [----] followers, [---] engagements


"@techspence This is unironically why I think all the its so over this is agi takes are dumb. Until I can vibecode my house I aint stopping"  
[X Link](https://x.com/ZackKorman/status/2021120268161130842)  2026-02-10T07:13Z [----] followers, [---] engagements


"@magnushambleton Walking in Dallas is absolutely not a thing. I one time saw my neighbor walking to the grocery store which is maybe [---] meters away and called my dad to ask if she was okay or if she needed help"  
[X Link](https://x.com/ZackKorman/status/2021125348662837468)  2026-02-10T07:33Z [----] followers, [--] engagements


"@akses_0x00 Exactly. It was designed to let you basically split up your main rules files to not load them all every single time. Which is great And then people were like gimme dat good design skill it says be good at design make no mistakes (also curl bash) http://zkorman.com/execs http://zkorman.com/execs"  
[X Link](https://x.com/ZackKorman/status/2021132200805093795)  2026-02-10T08:00Z [----] followers, [---] engagements


"@paulsanders87 Of course just as the good lord intended. Skills are great when you make your own because it means heres some more info you can load when needed (protects context)"  
[X Link](https://x.com/ZackKorman/status/2021133301428150346)  2026-02-10T08:05Z [----] followers, [---] engagements


"@mrgretzky NoOoOOooOO dont you get Mr Gretzky that not ALL solutions are 100% it has always been like that this is a great step forward towards (checks notes) making threat actors modify one (1) line in a markdown file to bypass the scanner. Security"  
[X Link](https://x.com/ZackKorman/status/2021148025855291638)  2026-02-10T09:03Z [----] followers, [---] engagements


"@DecryptedTech Good point. Maybe copilot isnt the best thing to aim for given it is in every product now haha"  
[X Link](https://x.com/ZackKorman/status/2021206767955226904)  2026-02-10T12:57Z [----] followers, [--] engagements


"@ibuildthecloud I dont understand it though. The web is just a UI on a backend. If the backend has an MCP server why do you need WebMCP Genuinely curious as Im trying to understand what this is for"  
[X Link](https://x.com/ZackKorman/status/2021341708173312467)  2026-02-10T21:53Z [----] followers, [---] engagements


"@wesbos @ibuildthecloud Its way easier to do this than make an MCP server I mean both are hey Claude make this an MCP server / webMCP"  
[X Link](https://x.com/ZackKorman/status/2021400337958294007)  2026-02-11T01:46Z [----] followers, [--] engagements


"@DecryptedTech Yea I feel like I didnt mean to pick up on skills right when it became trendy. I enjoyed my work on MCP so much more because it was less hot. This just feels wild. Im glad youve liked it though thanks for saying that"  
[X Link](https://x.com/ZackKorman/status/2021665391970594998)  2026-02-11T19:19Z [----] followers, [---] engagements


"@UK_Daniel_Card @L0Psec Good thing clawhub use is on the decline"  
[X Link](https://x.com/ZackKorman/status/2021670570283376696)  2026-02-11T19:39Z [----] followers, [---] engagements


"@dir @kubedoll Okay but I dont need any of that I need my AI to trust my skills files not treat them like third party dependencies. And I think thats honestly what most devs need. The original use case for skills was so much more valuable than what people are building them to be"  
[X Link](https://x.com/ZackKorman/status/2021676653647114667)  2026-02-11T20:04Z [----] followers, [--] engagements


"@tuckner @0xTib3rius This is the darkest timeline"  
[X Link](https://x.com/ZackKorman/status/2021682876987719787)  2026-02-11T20:28Z [----] followers, [--] engagements


"Except if people continue using skills as these wild third party dependencies (something I content people are doing because theyre confused about what skills are) then the AI labs need to RL the models to treat skills as untrusted content. One of the most dangerous parts about skills today is that the models just trust them as if theyre the users input. If they change that to say hey maybe dont trust skills then yes that was taken away from me"  
[X Link](https://x.com/ZackKorman/status/2021695678733508820)  2026-02-11T21:19Z [----] followers, [--] engagements


"@brvnd0n_onbase @NotNordgaren @0xTib3rius Home Depot skill for doing something more useful than making software"  
[X Link](https://x.com/ZackKorman/status/2021718027411370036)  2026-02-11T22:48Z [----] followers, [--] engagements


"@SimoKohonen I never wanted this. I dont want to be the markdown file guy"  
[X Link](https://x.com/ZackKorman/status/2021842194168947000)  2026-02-12T07:01Z [----] followers, [---] engagements


"@syntaxish @SimoKohonen Oh my god @0xTib3rius Carmen is out here putting your work to shame"  
[X Link](https://x.com/ZackKorman/status/2021852845331419552)  2026-02-12T07:44Z [----] followers, [---] engagements


"This is a super common problem. Teams will build out really thorough reviews of new vendors and stuff but then to install *checks notes* instructions to your AI that has root access theres very little. I actually saw someone pitching this as a feature. Your security team cant say no lol"  
[X Link](https://x.com/ZackKorman/status/2021874263045607467)  2026-02-12T09:09Z [----] followers, [--] engagements


"@techspence @Cloudflare What the hell am I reading"  
[X Link](https://x.com/ZackKorman/status/2021987688073900289)  2026-02-12T16:40Z [----] followers, [---] engagements


"@thedealdirector @j2k3k Gen Z needs skills hacks too"  
[X Link](https://x.com/ZackKorman/status/2022001974976414028)  2026-02-12T17:36Z [----] followers, [--] engagements


"@Barabazs_ Nope. Just for updating normal skills so they get better rate limiting (from the comment they wrote on its use)"  
[X Link](https://x.com/ZackKorman/status/2022026666588221503)  2026-02-12T19:14Z [----] followers, [----] engagements


"@tweetellington @Barabazs_ It is just fetching directly from github. So when you run npx skills add zackkorman/skills@security-review it is cloning that repo to a temp location then copying over the skill"  
[X Link](https://x.com/ZackKorman/status/2022040239737647277)  2026-02-12T20:08Z [----] followers, [--] engagements


"@terrorobe I actually meant my point about maybe this is normal for npm shit seriously. Like it looks crazy to me but there is in the open sooo maybe Im the weird one for thinking dont touch my secrets without permission"  
[X Link](https://x.com/ZackKorman/status/2022054103472652360)  2026-02-12T21:04Z [----] followers, [----] engagements


"@0xTib3rius Dear @OpenAI what he means to say is AI is great now give this guy his pro subscription"  
[X Link](https://x.com/ZackKorman/status/2022054290131681609)  2026-02-12T21:04Z [----] followers, [---] engagements


"@MikeTalonNYC Ngmi"  
[X Link](https://x.com/ZackKorman/status/2022327207591620666)  2026-02-13T15:09Z [----] followers, [--] engagements


"Vercel has now flagged security-review-2 for recommending my malicious security-review skill. The warning says "Do not reference external skills that users cannot audit before installation." Vercel author of "find-skills" which recommends external skills to install"  
[X Link](https://x.com/ZackKorman/status/2019860176892014797)  2026-02-06T19:46Z [----] followers, [----] engagements


"If youre in cybersecurity and you arent on the front lines of openclaw / clawhub security thats totally okay. How do we secure a skills marketplace for bots isnt even a top five problem in AI security"  
[X Link](https://x.com/ZackKorman/status/2020590147516109304)  2026-02-08T20:06Z [----] followers, [----] engagements


"RT @IceSolst: 1-minute summary"  
[X Link](https://x.com/anyuser/status/2020639708884206050)  2026-02-08T23:23Z [----] followers, [--] engagements


"I spent a ton of time trying (and failing) to intercept the network traffic from antigravity on my machine. Today I realized I can just open devtools (cmd-shift-i) and see it all there"  
[X Link](https://x.com/ZackKorman/status/2020917463743930422)  2026-02-09T17:47Z [----] followers, [----] engagements


"@S1r1u5_ Yea I got absolutely destroyed by the cert pinning last time and it drove me crazy. But what else is there I didnt spend time really looking because its not what I was doing but it seemed to be a lot Theyre even passing the system prompt there which I didnt fully expect"  
[X Link](https://x.com/ZackKorman/status/2020919097551172032)  2026-02-09T17:53Z [----] followers, [---] engagements


"This write-up on AI skills security by @akses_0x00 is a masterpiece. https://trapdoorsec.com/posts/skills-are-borked/ https://trapdoorsec.com/posts/skills-are-borked/"  
[X Link](https://x.com/ZackKorman/status/2021305146936898013)  2026-02-10T19:27Z [----] followers, [----] engagements


"Im going to make a video explaining why skills scanners are dumb then never talk about skills again because I hate this topic so much and its beyond stupid that its getting this much attention"  
[X Link](https://x.com/ZackKorman/status/2021661860609867933)  2026-02-11T19:05Z [----] followers, [----] engagements


"@tuckner @UK_Daniel_Card @L0Psec Yea I saw they added a second one. Very confusing"  
[X Link](https://x.com/ZackKorman/status/2021676962553401650)  2026-02-11T20:05Z [----] followers, [--] engagements


"@0xTib3rius If this becomes my life I hope someone takes away my phone and cuts my internet. Put me out of my misery"  
[X Link](https://x.com/ZackKorman/status/2021677116488925524)  2026-02-11T20:06Z [----] followers, [---] engagements


"RT @IceSolst: The lamest CVE of all time caused by the lamest product feature of all time. Full video with demo below"  
[X Link](https://x.com/ZackKorman/status/2022020141022953913)  2026-02-12T18:49Z [----] followers, [--] engagements


"@0xTib3rius Surely someone at OpenAI follows you. If so hook @0xTib3rius up with a Pro plan. Hell tweet and say actually AI is good"  
[X Link](https://x.com/ZackKorman/status/2022052730706309392)  2026-02-12T20:58Z [----] followers, [----] engagements


"@Paul_provalone Just a quick performance optimization called let me borrow your env vars"  
[X Link](https://x.com/ZackKorman/status/2022061597955592622)  2026-02-12T21:33Z [----] followers, [----] engagements


"@TrickedDev They used loosely here to mean whichever ai model wrote this"  
[X Link](https://x.com/ZackKorman/status/2022062241496150294)  2026-02-12T21:36Z [----] followers, [----] engagements


"This also maps onto my current use for AI programming. When AI started to get good at writing code the main use was help set up the basic scaffolding then take over. Now its kinda the opposite. Its really hard for me to use AI as a developer to set up the basics because well I have strong opinions on all the data structure and the way data gets routed and stuff like that. Once all of that is in place its easier to extrapolate from that code to go add a new query to get a new type of data and it can be like I see how you do this cool and it gives me what I want. If I just have a binary every"  
[X Link](https://x.com/ZackKorman/status/2022240032661160010)  2026-02-13T09:22Z [----] followers, [---] engagements


"@goon_nguyen How are you handling skills that make requests to external URLs Like how do you validate that as safe"  
[X Link](https://x.com/ZackKorman/status/2022267449303814405)  2026-02-13T11:11Z [----] followers, [---] engagements


"@goon_nguyen What happens if my skill says read this url then I change whats at the URL after your scan runs"  
[X Link](https://x.com/ZackKorman/status/2022280522622259657)  2026-02-13T12:03Z [----] followers, [---] engagements


"@IceSolst How dare you. I reposted your thing about notepad"  
[X Link](https://x.com/ZackKorman/status/2022327149194314211)  2026-02-13T15:09Z [----] followers, [---] engagements


"@tuckner @0xTib3rius @snyksec @virustotal @SentinelOne This is no fun. I actually like you and think youre smart. I want someone shamelessly pushing their skills scanner as a viable solution so I can be mean"  
[X Link](https://x.com/ZackKorman/status/2022434588690088031)  2026-02-13T22:15Z [----] followers, [---] engagements


"@tuckner @0xTib3rius @snyksec @virustotal @SentinelOne Damn youre getting there calling Gemini dirty. Gemini is based because it will make malware and do crime for you"  
[X Link](https://x.com/ZackKorman/status/2022435252447158482)  2026-02-13T22:18Z [----] followers, [---] engagements


"@DecryptedTech @0xTib3rius @snyksec @virustotal @SentinelOne Less fun :( Plus I dont hate you and I want to be men. I want to let the hate guide me"  
[X Link](https://x.com/ZackKorman/status/2022476615838765529)  2026-02-14T01:02Z [----] followers, [---] engagements


"@liran_tal @snyksec I made a recent video that explains why scanning doesnt work. In that video I had Claude make me a skills scanner that also successfully caught this type of thing"  
[X Link](https://x.com/ZackKorman/status/2022559307548500051)  2026-02-14T06:31Z [----] followers, [--] engagements


"We checked the script on that remote server so its safe for your AI to download it at some point in the future. Security companies selling snake oil is going to do so much damage to AI security"  
[X Link](https://x.com/ZackKorman/status/2022646213158502522)  2026-02-14T12:16Z [----] followers, [--] engagements


"Microsoft isnt just not issuing a CVE theyre actually not going to disclose this issue at all. Microsoft now confirmed that because the vulnerability I reported is important not critical and because theyve now fixed it they wont issue a CVE. Its like they actually want to discourage people from reporting. Microsoft now confirmed that because the vulnerability I reported is important not critical and because theyve now fixed it they wont issue a CVE. Its like they actually want to discourage people from reporting"  
[X Link](https://x.com/ZackKorman/status/1957521761286909973)  2025-08-18T19:15Z [----] followers, 433.7K engagements


"Pro tip for threat actors: buy failed startups that own multitenant apps. Details on how browser extensions can be bought and sold. Access to your browser and data is a commodity. Details on how browser extensions can be bought and sold. Access to your browser and data is a commodity"  
[X Link](https://x.com/ZackKorman/status/2011916711423770968)  2026-01-15T21:41Z [----] followers, [----] engagements


"@vxunderground Im actually kinda annoyed by this part. by @vercel is so objectively anti-security by design. This makes it seem like we can say oh who could have known heres our pro tips. Its not [----]. Building an extremely unsafe environment like this was a choice http://Skills.sh http://Skills.sh"  
[X Link](https://x.com/ZackKorman/status/2019817041931432302)  2026-02-06T16:54Z [----] followers, [----] engagements


"It seems the clawhub virustotal scanner doesnt do anything for suspicious skills. Openclaw has a clawhub skill that tells your bot to use search and install. Search recommends skills labeled suspicious w/ zero warning. The warning is only in the UI which your bot never checks"  
[X Link](https://x.com/ZackKorman/status/2020322473259200562)  2026-02-08T02:23Z [----] followers, 20.3K engagements


"Enterprise security companies marketing strategy right now"  
[X Link](https://x.com/ZackKorman/status/2020949093363720586)  2026-02-09T19:53Z [----] followers, 16.8K engagements


"The best way to fix the agent skills security problem isnt vulnerability scanning or sandboxing. Its convincing everyone that installing skills is embarrassing (because it is)"  
[X Link](https://x.com/ZackKorman/status/2021128291545985386)  2026-02-10T07:45Z [----] followers, [----] engagements


"As promised here's a video of me explaining why "skills scanners" are dumb and don't work. Now I never have to talk about AI skills ever again. https://www.youtube.com/watchv=GOzUIlgAcjY https://www.youtube.com/watchv=GOzUIlgAcjY"  
[X Link](https://x.com/ZackKorman/status/2021732940204396974)  2026-02-11T23:47Z [----] followers, 17K engagements


"@tuckner @IceSolst This is a good enough burn on solst that Ill take the burn on me. Worth it. Ice is the copilot guy"  
[X Link](https://x.com/ZackKorman/status/2022331275269562806)  2026-02-13T15:25Z [----] followers, [--] engagements


"I know I said Id stop talking about skills but Im an addict. If any of the enterprise security companies launching skills scanners are willing to debate me on the topic @0xTib3rius will host. cc @snyksec @virustotal @SentinelOne"  
[X Link](https://x.com/ZackKorman/status/2022432560941564056)  2026-02-13T22:07Z [----] followers, [----] engagements


"lol I literally am running an AI coding agent on a Mac mini right now. The point isnt are ai agents the future. The point is that running openclaw isnt the same as building agents just like playing Neopets isnt the same as building the foundations of what I guess they call web2. https://twitter.com/i/web/status/2022619113961422950 https://twitter.com/i/web/status/2022619113961422950"  
[X Link](https://x.com/ZackKorman/status/2022619113961422950)  2026-02-14T10:29Z [----] followers, [---] engagements


"@habibislop Sure its not that I have opinions on which ai agent rig to use. It is more that I think people confuse being a consumer vs a builder in this space. Being early to use ai agents isnt necessarily going to be rewarded as highly as some might expect"  
[X Link](https://x.com/ZackKorman/status/2022630885653385681)  2026-02-14T11:15Z [----] followers, [---] engagements


"@Poofarmer69 Yea and making something like that takes all of five minutes. Opus [---] one shotted a skills scanner for me in a video I made recently lol. But thats why security companies love it so much. Its trivial to make and has mass marketing appeal. Absolute scam"  
[X Link](https://x.com/ZackKorman/status/2022655160812753017)  2026-02-14T12:52Z [----] followers, [--] engagements


"@arianevans @0xTib3rius Hahahaha the whats the fastest way to complete IR before they get involved made me laugh out loud"  
[X Link](https://x.com/ZackKorman/status/2022726716049825971)  2026-02-14T17:36Z [----] followers, [--] engagements


"@techspence This is art"  
[X Link](https://x.com/ZackKorman/status/2022728469470203936)  2026-02-14T17:43Z [----] followers, [---] engagements


"@paulsanders87 Ask openclaw. Or if it still exists tell it to go play for you"  
[X Link](https://x.com/ZackKorman/status/2022742453975982524)  2026-02-14T18:39Z [----] followers, [--] engagements


"@chubes4 People did some really crazy stuff on Neopets too"  
[X Link](https://x.com/ZackKorman/status/2022742632598749279)  2026-02-14T18:39Z [----] followers, [--] engagements


"@JohnParadise17 Sure and Neopets was a good start for some people learning html"  
[X Link](https://x.com/ZackKorman/status/2022774076901675107)  2026-02-14T20:44Z [----] followers, [--] engagements


"@gcvftw @0xTib3rius @vxunderground Ill have you know Im out in the real world right now"  
[X Link](https://x.com/ZackKorman/status/2023066402383700221)  2026-02-15T16:06Z [----] followers, [--] engagements


"@IceSolst I am trying to make a video so inflammatory people will stop calling me the skills guy and start calling me the bad idea guy"  
[X Link](https://x.com/ZackKorman/status/2023075075738444177)  2026-02-15T16:40Z [----] followers, [---] engagements


"Microsoft isnt disclosing this so: M365 Copilot allowed users to access files without producing an audit log. All you had to do was ask Copilot to not link to the file. You dont even have to ask; it sometimes just happens. If your org uses Copilot your audit log is likely wrong Microsoft isnt just not issuing a CVE theyre actually not going to disclose this issue at all. Microsoft isnt just not issuing a CVE theyre actually not going to disclose this issue at all"  
[X Link](https://x.com/ZackKorman/status/1957856630814421293)  2025-08-19T17:26Z [----] followers, 420.2K engagements


"Hide malicious instructions in a skill so humans won't see it. See: https://github.com/ZackKorman/skills/blob/main/skills/security-review/SKILL.md https://github.com/ZackKorman/skills/blob/main/skills/security-review/SKILL.md"  
[X Link](https://x.com/ZackKorman/status/2018386838101086446)  2026-02-02T18:11Z [----] followers, 76.1K engagements


"If I ask Claude Code how do I conduct a security review it checks the find skills skill that I never wanted and then recommends my malicious skill. Amazing"  
[X Link](https://x.com/ZackKorman/status/2018728357731483749)  2026-02-03T16:48Z [----] followers, 38.2K engagements


"I tried buying two Google AI Ultra licenses ($200/month each). Turns out new workspaces are limited to one. Bold strategy by Google"  
[X Link](https://x.com/ZackKorman/status/2021551250278342958)  2026-02-11T11:45Z [----] followers, [----] engagements


"Maybe this is just normal levels of npm package stupidity but I don't love that Vercel's skills package silently goes digging for a Github token to use"  
[X Link](https://x.com/ZackKorman/status/2022022394484048029)  2026-02-12T18:58Z [----] followers, 192.4K engagements


"Cybersecurity companies are extremely guilty of this but youre not allowed to criticize them because at least theyre doing something* *Making a skills scanner. Its always a skills scanner. a lot of companies know they should be doing something in ai but haven't found clarity yet which is why every new concept that comes out gets over developed these companies jump in and build something to try and grab some territory but usually it doesn't make sense a lot of companies know they should be doing something in ai but haven't found clarity yet which is why every new concept that comes out gets"  
[X Link](https://x.com/ZackKorman/status/2022323166173966672)  2026-02-13T14:53Z [----] followers, [----] engagements


"Running an Openclaw bot isnt building the future of AI agents. Its playing Neopets while Mark Zuckerberg was making Facebook"  
[X Link](https://x.com/ZackKorman/status/2022603215100092888)  2026-02-14T09:25Z [----] followers, [----] engagements


"We checked the script on that remote server so its safe for your AI to download it at some point in the future. Security companies selling snake oil are going to do so much damage to the state of AI security"  
[X Link](https://x.com/ZackKorman/status/2022646392603447530)  2026-02-14T12:17Z [----] followers, [----] engagements


"@thedealdirector Oh my god I can just imagine the shitty LinkedIn posts now that AEs will make"  
[X Link](https://x.com/ZackKorman/status/2022653498920440116)  2026-02-14T12:45Z [----] followers, [----] engagements


"@DalaiNightshade Yea tbf I think some people have similar experiences but it is that you have to push further. No one developed great skills just doing the basics on Neopets"  
[X Link](https://x.com/ZackKorman/status/2022684565643629026)  2026-02-14T14:49Z [----] followers, [--] engagements


"The cybersecurity spend required to secure AI agents is going to be massive. I think in the medium term thats going to put pressure on security teams to cut elsewhere"  
[X Link](https://x.com/ZackKorman/status/2023020209087697358)  2026-02-15T13:02Z [----] followers, [----] engagements


"@metjuas That agent will take all your money one way (it sucks and you get pwned) or another (it still sucks but you dont get pwned and pay a ton for inference)"  
[X Link](https://x.com/ZackKorman/status/2023024484677193929)  2026-02-15T13:19Z [----] followers, [---] engagements


"@pedrouid Its very weird that weve settled on claw as a universal suffix for all ai agent frameworks"  
[X Link](https://x.com/ZackKorman/status/2023046178104025430)  2026-02-15T14:46Z [----] followers, [----] engagements


"Except we are disagreeing And thats okay. I think we do need to solve this with external calls. But its okay for me to be wrong on that too. And Id not call what youre doing snakeoil even if I dont think this is the solution because: [--]. Youre not marketing it under the name of a major security brand and [--]. Youre talking about it. In fact I think this is a cool project and Im going to look at it more tonight (on my phone in a car atm). But if this was the Crowdstrike LLMGuard solution and any time someone said eh that seems like it wouldnt work you responded hah people are sitting doing"  
[X Link](https://x.com/ZackKorman/status/2023065880481980923)  2026-02-15T16:04Z [----] followers, [--] engagements


"@m0bilej0n @vxunderground Mostly just waits for the next loop but also asks Claude what it feels like doing"  
[X Link](https://x.com/ZackKorman/status/2023089728971788691)  2026-02-15T17:39Z [----] followers, [--] engagements


"@essobi Im sure you have but youre not going to convince me that the ai agent security space is a solved problem. Like if you do have a solution that doesnt limit functionality you can make a cool billion dollars doing it"  
[X Link](https://x.com/ZackKorman/status/2023100415861023072)  2026-02-15T18:21Z [----] followers, [--] engagements


"@0xTib3rius Anyone at Google reading this (in case this blows up): give me early access to webmcp. I need it. My family is starving"  
[X Link](https://x.com/ZackKorman/status/2023112988476178576)  2026-02-15T19:11Z [----] followers, [--] engagements

Limited data mode. Full metrics available with subscription: lunarcrush.com/pricing