"How do I know if an AI agent skill is safe or malicious?"
I have been hearing this question very often recently. So I thought why not write about it.
Tap a slide to expand
I have been hearing this question very often recently. So I thought why not write about it.
—
Skills are what extend your AI agents to make them useful. Connect your agent to email, calendar, database, browser. The possibilities are almost endless.
And people are building them fast. OpenClaw’s ClawHub has over 30k skills. Every major AI lab and cloud provider is also launching their own skills database. The ecosystem is exploding.
But here is the twist.
Bitdefender found 17% of OpenClaw skills on ClawHub are malicious during the launch. That is roughly 1 in 6. Some steal your passwords. Some open backdoors. Some do both.
These skills look normal. A weather skill that gives you weather, but in the background reads your private keys and sends them to someone else.
The #1 attack right now is “tool poisoning.” Attackers hide instructions inside skill descriptions that you never see, but the AI reads and follows. Tested across 20 AI models, it worked 36.5% of the time. On some models, over 72%.
1 in 3 chance the AI follows a hidden malicious instruction.
And you can’t tell by looking at GitHub stars. CMU found 6 million fake stars. A project with 10,000 stars could have bought them for under $1,000.
Nobody is auditing these skills for you. You are on your own.
—
5 things to do before installing
- Run a scanner first
Free tools exist:
Bitdefender AI Skills Checker - scans OpenClaw skills for backdoors
Snyk Agent Scan - scans skills for poisoned descriptions and malware
OpenSSF Scorecard - rates open source projects 0-10 on security
- Check who maintains it
The XZ Utils backdoor was planted by someone who spent 2 years building trust before inserting a backdoor. If a project has a single maintainer, or the maintainer changed recently, be cautious.
- Check what permissions it asks for
A calculator that needs network access? A weather skill that wants to read your files? If the permissions don’t match the purpose, don’t install it.
- Sandbox it first
OpenClaw runs with no permission restrictions by default. Enable Docker-based sandboxing before installing any skill you have not verified.
- Watch for behavior changes after install
“Rug pull” attacks are real. A skill works normally for weeks, then silently changes what it does. Tools like Snyk Agent Scan can detect when a skill’s description changes between sessions.
—
If you are using AI agent skills, you are probably trusting code and instructions you have never verified. Next time you install one, run it through a scanner first. If it fails, don’t install it. If it passes, sandbox it anyway.
The AI agent ecosystem right now is like the early days of mobile app stores. Except there is no Apple reviewing your downloads.
#AIAgent #AISafety #OpenClaw #ClawHub #AgentSkill
Enjoyed this? Subscribe for more.
Practical insights on AI, growth, and independent learning. No spam.
More in AI Agents
A curious question from my kids sent Gemini into a hallucination.
Google's AI Overview can be 100% wrong, even when SERP is right.
10 Ways to Reduce the Risk of Running OpenClaw (or Any AI Agent)
The safe answer comes from Peter Steinberger, OpenClaw's creator himself. He said OpenClaw is designed as a personal assistant - one user to one or many agen...
Human will be the differentiation when everyone produces the same things with AI agents with the same skills.
Since the virality of OpenClaw educated the market about agent skills, I have seen a lot of LinkedIn posts sharing 5,678 skills covering many things that pre...
If you are new to Claude Code, turn off dynamic workflows before they burn through your usage limit.
Last week in my workshop, this caught a few learners off guard. One prompt spun up 100+ agents to research "AI patterns to avoid in web design," and burned t...
Claude Code is for software developers, and OpenClaw is more for business users.
A learner said this to another learner during a recent workshop. I think this is the most common and most dangerous misconception about these two tools.
Not every automation needs an AI agent. After burning $25+ with a browser agent just to download analytics of my top LinkedIn posts, I decided to build a simple automation tool that costs nothing to run.
--
A curious question from my kids sent Gemini into a hallucination.
Google's AI Overview can be 100% wrong, even when SERP is right.
If you are new to Claude Code, turn off dynamic workflows before they burn through your usage limit.
Last week in my workshop, this caught a few learners off guard. One prompt spun up 100+ agents to research "AI patterns to avoid in web design," and burned t...
10 Ways to Reduce the Risk of Running OpenClaw (or Any AI Agent)
The safe answer comes from Peter Steinberger, OpenClaw's creator himself. He said OpenClaw is designed as a personal assistant - one user to one or many agen...
Human will be the differentiation when everyone produces the same things with AI agents with the same skills.
Since the virality of OpenClaw educated the market about agent skills, I have seen a lot of LinkedIn posts sharing 5,678 skills covering many things that pre...
Claude Code is for software developers, and OpenClaw is more for business users.
A learner said this to another learner during a recent workshop. I think this is the most common and most dangerous misconception about these two tools.
Not every automation needs an AI agent. After burning $25+ with a browser agent just to download analytics of my top LinkedIn posts, I decided to build a simple automation tool that costs nothing to run.
--