"How do I know if an AI agent skill is safe or malicious?"
I have been hearing this question very often recently. So I thought why not write about it.
Tap a slide to expand
I have been hearing this question very often recently. So I thought why not write about it.
—
Skills are what extend your AI agents to make them useful. Connect your agent to email, calendar, database, browser. The possibilities are almost endless.
And people are building them fast. OpenClaw’s ClawHub has over 30k skills. Every major AI lab and cloud provider is also launching their own skills database. The ecosystem is exploding.
But here is the twist.
Bitdefender found 17% of OpenClaw skills on ClawHub are malicious during the launch. That is roughly 1 in 6. Some steal your passwords. Some open backdoors. Some do both.
These skills look normal. A weather skill that gives you weather, but in the background reads your private keys and sends them to someone else.
The #1 attack right now is “tool poisoning.” Attackers hide instructions inside skill descriptions that you never see, but the AI reads and follows. Tested across 20 AI models, it worked 36.5% of the time. On some models, over 72%.
1 in 3 chance the AI follows a hidden malicious instruction.
And you can’t tell by looking at GitHub stars. CMU found 6 million fake stars. A project with 10,000 stars could have bought them for under $1,000.
Nobody is auditing these skills for you. You are on your own.
—
5 things to do before installing
- Run a scanner first
Free tools exist:
Bitdefender AI Skills Checker - scans OpenClaw skills for backdoors
Snyk Agent Scan - scans skills for poisoned descriptions and malware
OpenSSF Scorecard - rates open source projects 0-10 on security
- Check who maintains it
The XZ Utils backdoor was planted by someone who spent 2 years building trust before inserting a backdoor. If a project has a single maintainer, or the maintainer changed recently, be cautious.
- Check what permissions it asks for
A calculator that needs network access? A weather skill that wants to read your files? If the permissions don’t match the purpose, don’t install it.
- Sandbox it first
OpenClaw runs with no permission restrictions by default. Enable Docker-based sandboxing before installing any skill you have not verified.
- Watch for behavior changes after install
“Rug pull” attacks are real. A skill works normally for weeks, then silently changes what it does. Tools like Snyk Agent Scan can detect when a skill’s description changes between sessions.
—
If you are using AI agent skills, you are probably trusting code and instructions you have never verified. Next time you install one, run it through a scanner first. If it fails, don’t install it. If it passes, sandbox it anyway.
The AI agent ecosystem right now is like the early days of mobile app stores. Except there is no Apple reviewing your downloads.
#AIAgent #AISafety #OpenClaw #ClawHub #AgentSkill
Enjoyed this? Subscribe for more.
Practical insights on AI, growth, and independent learning. No spam.
More in AI Agents
LangChain on AI Agents vs Workflow Builders
(I admit, I’ve contributed to one of those posts myself)
From ChatGPT to Claude Code: A Non-Techie’s Introduction to the Raw Power of AI by a Techie
Not because I don't like sharing. But because the only tool I use for 99% of my AI needs is Claude Code. And while I think it is not hard to learn, I'm never...
I finally concede that AI is smarter than me.
For 2 years, I held onto reasons like “AI can't solve my kid's homework” or “It can't play tic-tac-toe” to believe I was still smarter.
Your RAG System's Real Problem Isn't Hallucination
Two top common root causes are:
Are we being manipulated by brilliant UX/UI designers in the AGI pitch?
When ChatGPT 3.5 launched in November 2022 and went viral, some argued that the real breakthrough wasn’t in AI — it was in UX/UI. I agreed.
冬至快乐!Happy Winter Solstice Festival!
I’m curious to see how well Meta AI can create images of Chinese cultural festivals.
LangChain on AI Agents vs Workflow Builders
(I admit, I’ve contributed to one of those posts myself)
Your RAG System's Real Problem Isn't Hallucination
Two top common root causes are:
冬至快乐!Happy Winter Solstice Festival!
I’m curious to see how well Meta AI can create images of Chinese cultural festivals.
From ChatGPT to Claude Code: A Non-Techie’s Introduction to the Raw Power of AI by a Techie
Not because I don't like sharing. But because the only tool I use for 99% of my AI needs is Claude Code. And while I think it is not hard to learn, I'm never...
I finally concede that AI is smarter than me.
For 2 years, I held onto reasons like “AI can't solve my kid's homework” or “It can't play tic-tac-toe” to believe I was still smarter.
Are we being manipulated by brilliant UX/UI designers in the AGI pitch?
When ChatGPT 3.5 launched in November 2022 and went viral, some argued that the real breakthrough wasn’t in AI — it was in UX/UI. I agreed.