·5m read time·880 words·
$ share

ThePrimeagen Was Right

He warned that AI tools atrophy your critical judgment. Then his followers ran a poisoned command from a tweet without reading it. He was right.

securityAI

On January 23, 2026, ThePrimeagen posted this:

guys, I was wrong

AI is much more powerful than I thought. I just created my first skill and it's already revolutionising how I code

you got to try it yourself

npx skills add github.com/theprimeagen/s --skill is-even

Tech Twitter lost its mind.

ThePrimeagen had spent years telling developers that AI coding tools would make them stupid. He ripped out GitHub Copilot. He argued that developers were skipping the thinking, the verification, the foundational judgment that makes someone actually good at this job. He was the loud, credible, unapologetic voice on the other side of the AI hype.

And now he was telling them to install a skill called is-even.

His followers ran the command.

What is-even is

If you've been in the npm world for more than five minutes, you know is-even. It's the running joke about over-dependency: a package that does nothing but check whether a number is divisible by two. A one-liner. Something a student writes on day one and never packages.

The is-even name was the tell. It was practically waving.

They didn't look.

The skill was poisoned. The followers who ran that command without reading the source, without checking the repo, without asking "wait, why is-even?" handed execution to something they hadn't audited. Because ThePrimeagen said so.

His original argument

To be clear about what he was actually saying before the reversal: his critique of AI coding tools was never that the models are bad. It was that developers stop being critical when they use them.

You ask Copilot to generate a function and you don't read what comes out. You accept the suggestion because it looks right, because the autocomplete is confident, because checking it feels like friction. The AI doesn't atrophy your skills. The habit of not checking does.

He said this repeatedly. He ripped out Copilot not because it wrote bad code but because it trained him to skip a step. The verification step. The "read what you're about to run" step.

He was describing a precise failure mode.

The twist

His followers didn't get burned by AI.

They got burned by trusting him.

The cognitive shortcut is identical: "someone competent vouched for this, so I don't need to think." With AI it's the model. With the skill it was the influencer. The verification step was skipped either way.

That's the atrophied skill he was warning about. It doesn't only show up when you accept a model's suggestion without reading it. It shows up any time you execute something because a source you trust said it was good.

The irony is dense enough to cut with a keyboard. He was right about the failure mode. He demonstrated it himself, and his audience confirmed it.

The skills layer is the new npm

This would be a neat morality tale if it stopped there. It doesn't.

The npx skills add pattern, Claude Code skills, MCP servers, Cursor plugins, call them what you like, is now a parallel software distribution system. Millions of developers are installing tools into their agents' context windows, giving those tools the ability to act on their behalf, and auditing them the way most people audit an npm install: not at all.

In April 2026, researchers poisoned nine of eleven MCP registries with proof-of-concept packages. Nine of eleven. Snyk's ToxicSkills audit found 1,467 malicious payloads across 3,984 scanned skills: a 36% flaw rate. A coordinated campaign called ClawHavoc poisoned 1,184 skills on ClawHub in a single sweep.

Nobody audited them, because the trust heuristic is "this registry seems legitimate" or "this creator seems credible." Same shortcut. Different surface.

As I wrote after the npm package that went after Claude's workspace: the agent is the juiciest target in the room. It runs with your credentials, installs things without reading them, and its config files are execution paths. A poisoned skill doesn't just compromise your editor. It compromises whatever your agent can touch.

What to actually do

ThePrimeagen's answer, before the reversal, was: slow down. Rebuild the verification habit. Read what you're about to run.

That advice didn't expire when he posted the tweet.

  • Read the source before you install. npx skills add pulls from a GitHub repo. The repo is readable. Open it. Check what the install script actually does.
  • Treat skills like dependencies. You wouldn't (or shouldn't) npm install a random package from a tweet. The same applies here. The creator's follower count is not a code review.
  • Your agent won't audit its own tools. It installs what you tell it to install, then uses what was installed. It has no suspicion reflex. One of you has to have one.
  • The name is a signal. is-even was practically waving. If something seems too trivial, too generic, or too coincidentally named like a well-known joke package: stop.

The takeaway

He warned you that you'd stop checking.

You stopped checking.

He was right.

The verification habit is the thing. It doesn't matter whether the thing you skipped reading was a model's suggestion, a creator's recommendation, or a skill in a registry. The same gap opens up: something you didn't understand ran on your machine, with your credentials, on your behalf.

You can't spot the bug if you didn't write the code. You can't spot the payload if you didn't read the source.

Same lesson. Same cost.

// related

The AI is not your friend: how I secured Gemini on this site

Most 'AI integrations' are just a chat box and a prayer. Here is how I built a secure, contextual, and bilingual assistant using Gemini 3.1 Flash Lite.

The best number in Opus 4.8 isn't a benchmark

Opus 4.8 beats GPT-5.5 and Gemini on SWE-bench, and that's the least interesting thing about it. The number that actually changes your work is the one Anthropic buried in softer language.

The spec you didn't read

Using an agent to draft your spec is smart. Skimming what it produces and handing it to another agent to build from is how you end up with architecture you can't explain.

// series: The AI Skeptic(18 of 18)
01You don't have an AI problem. You have a process problem.02Why you should never ship code you don't understand03Stop copy-paste engineering04The lava layer: why AI code is slowly petrifying your codebase05The prompt is not the spec06The brilliant parrot problem: what AI actually does when it 'thinks'07The bureaucracy of bots: why we are checking the checker08The arms race for your trust: Mythos, Cyber and the security hype09Stop letting your agents write Markdown10You can't spot the bug if you didn't write the code11One in four: the security debt nobody's counting12Your 10x developer is gated by a 0.1x pipeline13Caveman vs context-mode: small mouth, or smaller room?14Code churn is the lava you can still measure15The ceiling is made of concrete16The token-saver tax: walking back my Caveman advice17Even the malware is AI slop now18ThePrimeagen Was Right