"How do I know if an AI agent skill is safe or malicious?"

I have been hearing this question very often recently. So I thought why not write about it.

—

Skills are what extend your AI agents to make them useful. Connect your agent to email, calendar, database, browser. The possibilities are almost endless.

And people are building them fast. OpenClaw’s ClawHub has over 30k skills. Every major AI lab and cloud provider is also launching their own skills database. The ecosystem is exploding.

But here is the twist.

Bitdefender found 17% of OpenClaw skills on ClawHub are malicious during the launch. That is roughly 1 in 6. Some steal your passwords. Some open backdoors. Some do both.

These skills look normal. A weather skill that gives you weather, but in the background reads your private keys and sends them to someone else.

The #1 attack right now is “tool poisoning.” Attackers hide instructions inside skill descriptions that you never see, but the AI reads and follows. Tested across 20 AI models, it worked 36.5% of the time. On some models, over 72%.

1 in 3 chance the AI follows a hidden malicious instruction.

And you can’t tell by looking at GitHub stars. CMU found 6 million fake stars. A project with 10,000 stars could have bought them for under $1,000.

Nobody is auditing these skills for you. You are on your own.

—

5 things to do before installing

1. Run a scanner first

Free tools exist:

Bitdefender AI Skills Checker - scans OpenClaw skills for backdoors

https://lnkd.in/g2UHHmuH

Snyk Agent Scan - scans skills for poisoned descriptions and malware

https://lnkd.in/gWPQKi9M

OpenSSF Scorecard - rates open source projects 0-10 on security

https://scorecard.dev/

2. Check who maintains it

The XZ Utils backdoor was planted by someone who spent 2 years building trust before inserting a backdoor. If a project has a single maintainer, or the maintainer changed recently, be cautious.

3. Check what permissions it asks for

A calculator that needs network access? A weather skill that wants to read your files? If the permissions don’t match the purpose, don’t install it.

4. Sandbox it first

OpenClaw runs with no permission restrictions by default. Enable Docker-based sandboxing before installing any skill you have not verified.

5. Watch for behavior changes after install

“Rug pull” attacks are real. A skill works normally for weeks, then silently changes what it does. Tools like Snyk Agent Scan can detect when a skill’s description changes between sessions.

—

If you are using AI agent skills, you are probably trusting code and instructions you have never verified. Next time you install one, run it through a scanner first. If it fails, don’t install it. If it passes, sandbox it anyway.

The AI agent ecosystem right now is like the early days of mobile app stores. Except there is no Apple reviewing your downloads.

#AIAgent #AISafety #OpenClaw #ClawHub #AgentSkill

Download carousel document