"How do I know if an AI agent skill is safe or malicious?"
I have been hearing this question very often recently. So I thought why not write about it.
Tap a slide to expand
I have been hearing this question very often recently. So I thought why not write about it.
—
Skills are what extend your AI agents to make them useful. Connect your agent to email, calendar, database, browser. The possibilities are almost endless.
And people are building them fast. OpenClaw’s ClawHub has over 30k skills. Every major AI lab and cloud provider is also launching their own skills database. The ecosystem is exploding.
But here is the twist.
Bitdefender found 17% of OpenClaw skills on ClawHub are malicious during the launch. That is roughly 1 in 6. Some steal your passwords. Some open backdoors. Some do both.
These skills look normal. A weather skill that gives you weather, but in the background reads your private keys and sends them to someone else.
The #1 attack right now is “tool poisoning.” Attackers hide instructions inside skill descriptions that you never see, but the AI reads and follows. Tested across 20 AI models, it worked 36.5% of the time. On some models, over 72%.
1 in 3 chance the AI follows a hidden malicious instruction.
And you can’t tell by looking at GitHub stars. CMU found 6 million fake stars. A project with 10,000 stars could have bought them for under $1,000.
Nobody is auditing these skills for you. You are on your own.
—
5 things to do before installing
- Run a scanner first
Free tools exist:
Bitdefender AI Skills Checker - scans OpenClaw skills for backdoors
Snyk Agent Scan - scans skills for poisoned descriptions and malware
OpenSSF Scorecard - rates open source projects 0-10 on security
- Check who maintains it
The XZ Utils backdoor was planted by someone who spent 2 years building trust before inserting a backdoor. If a project has a single maintainer, or the maintainer changed recently, be cautious.
- Check what permissions it asks for
A calculator that needs network access? A weather skill that wants to read your files? If the permissions don’t match the purpose, don’t install it.
- Sandbox it first
OpenClaw runs with no permission restrictions by default. Enable Docker-based sandboxing before installing any skill you have not verified.
- Watch for behavior changes after install
“Rug pull” attacks are real. A skill works normally for weeks, then silently changes what it does. Tools like Snyk Agent Scan can detect when a skill’s description changes between sessions.
—
If you are using AI agent skills, you are probably trusting code and instructions you have never verified. Next time you install one, run it through a scanner first. If it fails, don’t install it. If it passes, sandbox it anyway.
The AI agent ecosystem right now is like the early days of mobile app stores. Except there is no Apple reviewing your downloads.
#AIAgent #AISafety #OpenClaw #ClawHub #AgentSkill
Enjoyed this? Subscribe for more.
Practical insights on AI, growth, and independent learning. No spam.
More in AI Agents
From insight to action: AI is not the future—it’s the now.
At the Business+AI Forum 2024, our speakers shared groundbreaking insights on how AI is transforming industries, creating opportunities, and solving real-wor...
20 FAQs on AEO, GEO and the New SEO
Marketers, search has changed. AI is rewriting the rules. If you're not adapting, you're disappearing.
Could we have been wrong about zero click impressions?
For a while now, we’ve been blaming AI Overviews for the rise in zero click searches. But maybe that’s only half the story.
"Wait, you used to do THAT manually?"
I've been building software for 19 years. Something that would take me 2 months now takes 1 week.
Should I Still Use MCP? Is MCP Dead?
So I thought it is good to write about it, especially for a non-tech audience who are curious.
Your AI agent will get prompt injected sooner or later, because it is easier than most people thought.
Most people think prompt injection needs a carefully crafted adversarial prompt by an experienced hacker. It does not. Someone who understands how LLMs work ...
From insight to action: AI is not the future—it’s the now.
At the Business+AI Forum 2024, our speakers shared groundbreaking insights on how AI is transforming industries, creating opportunities, and solving real-wor...
"Wait, you used to do THAT manually?"
I've been building software for 19 years. Something that would take me 2 months now takes 1 week.
Your AI agent will get prompt injected sooner or later, because it is easier than most people thought.
Most people think prompt injection needs a carefully crafted adversarial prompt by an experienced hacker. It does not. Someone who understands how LLMs work ...
20 FAQs on AEO, GEO and the New SEO
Marketers, search has changed. AI is rewriting the rules. If you're not adapting, you're disappearing.
Could we have been wrong about zero click impressions?
For a while now, we’ve been blaming AI Overviews for the rise in zero click searches. But maybe that’s only half the story.
Should I Still Use MCP? Is MCP Dead?
So I thought it is good to write about it, especially for a non-tech audience who are curious.